First of all thanks for this tutorial, really helpful!
For those wondering what is this line for $oClient = OClient::where('password_client', 1)->first();
The passport /oauth/token endpoint requires a client_id and client_secret, therefore that line fetches the needed information from oauth_clients table and use them in request.
I'm seeing 2 issues in this tutorial:
1- You are fetching twice the $oClient while you can do it just in getTokenAndRefreshToken() function. There is no need to fetch that record in login() and register() functions. You should remove
$oClient = OClient::where('password_client', 1)->first(); from both login() and register() and also remove the OClient $oClient parameter in getTokenAndRefreshToken() function.
2- There is a lack of security: the purpose of client_id and client_secret is to provide a unique credential to 3rd party apps. By fetching client_id and client_secret within your controller you are assuming that the 3rd party app is authorized. Any app which knows your login endpoint could perform a brute force attack and overload your database trying to attempt a login directly in users table. client_id and client_secret should be provided to the 3rd party apps and they should send those values via request.
Saying that, you will have $request->client_id and $request->client_secret to be used in getTokenAndRefreshToken()
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
First of all thanks for this tutorial, really helpful!
For those wondering what is this line for
$oClient = OClient::where('password_client', 1)->first();
The passport
/oauth/token
endpoint requires aclient_id
andclient_secret
, therefore that line fetches the needed information fromoauth_clients
table and use them in request.I'm seeing 2 issues in this tutorial:
1- You are fetching twice the
$oClient
while you can do it just ingetTokenAndRefreshToken()
function. There is no need to fetch that record inlogin()
andregister()
functions. You should remove
from both$oClient = OClient::where('password_client', 1)->first();
login()
andregister()
and also remove theOClient $oClient
parameter ingetTokenAndRefreshToken()
function.2- There is a lack of security: the purpose of
client_id
andclient_secret
is to provide a unique credential to 3rd party apps. By fetchingclient_id
andclient_secret
within your controller you are assuming that the 3rd party app is authorized. Any app which knows your login endpoint could perform a brute force attack and overload your database trying to attempt a login directly inusers
table.client_id
andclient_secret
should be provided to the 3rd party apps and they should send those values via request.Saying that, you will have
$request->client_id
and$request->client_secret
to be used ingetTokenAndRefreshToken()