Most secure way to pass Laravel passport access_token from Laravel blade to React component











up vote
1
down vote

favorite
1












I'm building chat application with ReactJS and Laravel, we are using Laravel Echo.
API needs an access_token to be authenticated so we need to pass the access_token in the component.



How can do it securely?










share|improve this question


























    up vote
    1
    down vote

    favorite
    1












    I'm building chat application with ReactJS and Laravel, we are using Laravel Echo.
    API needs an access_token to be authenticated so we need to pass the access_token in the component.



    How can do it securely?










    share|improve this question
























      up vote
      1
      down vote

      favorite
      1









      up vote
      1
      down vote

      favorite
      1






      1





      I'm building chat application with ReactJS and Laravel, we are using Laravel Echo.
      API needs an access_token to be authenticated so we need to pass the access_token in the component.



      How can do it securely?










      share|improve this question













      I'm building chat application with ReactJS and Laravel, we are using Laravel Echo.
      API needs an access_token to be authenticated so we need to pass the access_token in the component.



      How can do it securely?







      reactjs laravel security laravel-echo






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked 11 hours ago









      frenchqwerty

      134




      134
























          2 Answers
          2






          active

          oldest

          votes

















          up vote
          0
          down vote













          The backend should have all api keys. Assume that anything sent to frontend can and will be copied to use elsewhere.



          I strongly suggest that you use JWT (json web tokens) to handle authentication and make all such api calls on the backend on behalf of the authenticated user. Ideally checking if the user has permissions to do so.






          share|improve this answer




























            up vote
            0
            down vote













            The access_token can be generated by Laravel Passport (LP). Since LP is just an integration into The PHP League's OAuth 2, JSON Web Tokens (JWT) are issued by default. These tokens are pretty safe to be stored on the client side.



            If you check the documentation, you will be able to generate tokens for users without going through the normal OAuth 2 flow.



            Using the browser's LocalStorage, you can then store this token for future use.






            share|improve this answer





















              Your Answer






              StackExchange.ifUsing("editor", function () {
              StackExchange.using("externalEditor", function () {
              StackExchange.using("snippets", function () {
              StackExchange.snippets.init();
              });
              });
              }, "code-snippets");

              StackExchange.ready(function() {
              var channelOptions = {
              tags: "".split(" "),
              id: "1"
              };
              initTagRenderer("".split(" "), "".split(" "), channelOptions);

              StackExchange.using("externalEditor", function() {
              // Have to fire editor after snippets, if snippets enabled
              if (StackExchange.settings.snippets.snippetsEnabled) {
              StackExchange.using("snippets", function() {
              createEditor();
              });
              }
              else {
              createEditor();
              }
              });

              function createEditor() {
              StackExchange.prepareEditor({
              heartbeatType: 'answer',
              convertImagesToLinks: true,
              noModals: true,
              showLowRepImageUploadWarning: true,
              reputationToPostImages: 10,
              bindNavPrevention: true,
              postfix: "",
              imageUploader: {
              brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
              contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
              allowUrls: true
              },
              onDemand: true,
              discardSelector: ".discard-answer"
              ,immediatelyShowMarkdownHelp:true
              });


              }
              });














               

              draft saved


              draft discarded


















              StackExchange.ready(
              function () {
              StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53400434%2fmost-secure-way-to-pass-laravel-passport-access-token-from-laravel-blade-to-reac%23new-answer', 'question_page');
              }
              );

              Post as a guest















              Required, but never shown

























              2 Answers
              2






              active

              oldest

              votes








              2 Answers
              2






              active

              oldest

              votes









              active

              oldest

              votes






              active

              oldest

              votes








              up vote
              0
              down vote













              The backend should have all api keys. Assume that anything sent to frontend can and will be copied to use elsewhere.



              I strongly suggest that you use JWT (json web tokens) to handle authentication and make all such api calls on the backend on behalf of the authenticated user. Ideally checking if the user has permissions to do so.






              share|improve this answer

























                up vote
                0
                down vote













                The backend should have all api keys. Assume that anything sent to frontend can and will be copied to use elsewhere.



                I strongly suggest that you use JWT (json web tokens) to handle authentication and make all such api calls on the backend on behalf of the authenticated user. Ideally checking if the user has permissions to do so.






                share|improve this answer























                  up vote
                  0
                  down vote










                  up vote
                  0
                  down vote









                  The backend should have all api keys. Assume that anything sent to frontend can and will be copied to use elsewhere.



                  I strongly suggest that you use JWT (json web tokens) to handle authentication and make all such api calls on the backend on behalf of the authenticated user. Ideally checking if the user has permissions to do so.






                  share|improve this answer












                  The backend should have all api keys. Assume that anything sent to frontend can and will be copied to use elsewhere.



                  I strongly suggest that you use JWT (json web tokens) to handle authentication and make all such api calls on the backend on behalf of the authenticated user. Ideally checking if the user has permissions to do so.







                  share|improve this answer












                  share|improve this answer



                  share|improve this answer










                  answered 11 hours ago









                  Sergio Moura

                  4,01511631




                  4,01511631
























                      up vote
                      0
                      down vote













                      The access_token can be generated by Laravel Passport (LP). Since LP is just an integration into The PHP League's OAuth 2, JSON Web Tokens (JWT) are issued by default. These tokens are pretty safe to be stored on the client side.



                      If you check the documentation, you will be able to generate tokens for users without going through the normal OAuth 2 flow.



                      Using the browser's LocalStorage, you can then store this token for future use.






                      share|improve this answer

























                        up vote
                        0
                        down vote













                        The access_token can be generated by Laravel Passport (LP). Since LP is just an integration into The PHP League's OAuth 2, JSON Web Tokens (JWT) are issued by default. These tokens are pretty safe to be stored on the client side.



                        If you check the documentation, you will be able to generate tokens for users without going through the normal OAuth 2 flow.



                        Using the browser's LocalStorage, you can then store this token for future use.






                        share|improve this answer























                          up vote
                          0
                          down vote










                          up vote
                          0
                          down vote









                          The access_token can be generated by Laravel Passport (LP). Since LP is just an integration into The PHP League's OAuth 2, JSON Web Tokens (JWT) are issued by default. These tokens are pretty safe to be stored on the client side.



                          If you check the documentation, you will be able to generate tokens for users without going through the normal OAuth 2 flow.



                          Using the browser's LocalStorage, you can then store this token for future use.






                          share|improve this answer












                          The access_token can be generated by Laravel Passport (LP). Since LP is just an integration into The PHP League's OAuth 2, JSON Web Tokens (JWT) are issued by default. These tokens are pretty safe to be stored on the client side.



                          If you check the documentation, you will be able to generate tokens for users without going through the normal OAuth 2 flow.



                          Using the browser's LocalStorage, you can then store this token for future use.







                          share|improve this answer












                          share|improve this answer



                          share|improve this answer










                          answered 8 hours ago









                          Caleb Lucas

                          165




                          165






























                               

                              draft saved


                              draft discarded



















































                               


                              draft saved


                              draft discarded














                              StackExchange.ready(
                              function () {
                              StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53400434%2fmost-secure-way-to-pass-laravel-passport-access-token-from-laravel-blade-to-reac%23new-answer', 'question_page');
                              }
                              );

                              Post as a guest















                              Required, but never shown





















































                              Required, but never shown














                              Required, but never shown












                              Required, but never shown







                              Required, but never shown

































                              Required, but never shown














                              Required, but never shown












                              Required, but never shown







                              Required, but never shown







                              Popular posts from this blog

                              Berounka

                              Sphinx de Gizeh

                              Different font size/position of beamer's navigation symbols template's content depending on regular/plain...