-
Notifications
You must be signed in to change notification settings - Fork 146
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Service keys for read-only API routes #1625
Comments
Any plan to adopt laravel sanctum ? With that package, you won't even need to deal with X-API-KEY anymore. For the frontend, axios can automatically handle the session cookie and CSRF token as long as axios in request.js is properly configured. If an external app, i.e. ACARS software, wants to access the api, sanctum can automatically generate personal access token and the external app will be authenticated as a long as the requests have a valid Bearer token in the header. And finally you can setup the permissions for API route like this |
Yes, it's a possibility, if I can migrate existing keys easily. I have to look into it in some more detail |
I tried sanctum to see how it works. The only problem is to migrate the existing keys and for that I don't have any good solutions. Sanctum keys are hashed and stored in a separate table which makes them fairly interchangeable with our existing keys. If this is what we adopt I fear it will be a breaking change. The token that is passed in the header is only accessible when you generate it, after that we can't do anything except delete the token and make another one. |
Has there been consideration for Passport instead of Sanctum? The key different would be OAuth. That being said, it may be used by a handful of orgs. Not too many people will roll a setup that requires phpVMS to be the center of multiple authenticated applications. |
The issue with OAuth is that it's heavier and more complex than the current system/sanctum. From my point of view, it introduces a lot more complexity without necessarily providing more useful features. Additionally, we face the same problem as with Sanctum, where we are unable to migrate our current system to Passport/Sanctum without having to change all the keys for everyone (which is a bit inconvenient). |
Instead of having to use a pilot's personal API token, provide the ability for the admin to generate service keys, which can then be checked by middleware on the read-only API routes
The text was updated successfully, but these errors were encountered: