First of all thanks for this tutorial, really helpful!
For those wondering what is this line for $oClient = OClient::where('password_client', 1)->first();
The passport /oauth/token endpoint requires a client_id and client_secret, therefore that line fetches the needed information from oauth_clients table and use them in request.
I'm seeing 2 issues in this tutorial:
1- You are fetching twice the $oClient while you can do it just in getTokenAndRefreshToken() function. There is no need to fetch that record in login() and register() functions. You should remove
$oClient = OClient::where('password_client', 1)->first(); from both login() and register() and also remove the OClient $oClient parameter in getTokenAndRefreshToken() function.
2- There is a lack of security: the purpose of client_id and client_secret is to provide a unique credential to 3rd party apps. By fetching client_id and client_secret within your controller you are assuming that the 3rd party app is authorized. Any app which knows your login endpoint could perform a brute force attack and overload your database trying to attempt a login directly in users table. client_id and client_secret should be provided to the 3rd party apps and they should send those values via request.
Saying that, you will have $request->client_id and $request->client_secret to be used in getTokenAndRefreshToken()
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
First of all thanks for this tutorial, really helpful!
For those wondering what is this line for
$oClient = OClient::where('password_client', 1)->first();The passport
/oauth/tokenendpoint requires aclient_idandclient_secret, therefore that line fetches the needed information fromoauth_clientstable and use them in request.I'm seeing 2 issues in this tutorial:
1- You are fetching twice the
$oClientwhile you can do it just ingetTokenAndRefreshToken()function. There is no need to fetch that record inlogin()andregister()functions. You should remove$oClient = OClient::where('password_client', 1)->first();
login()andregister()and also remove theOClient $oClientparameter ingetTokenAndRefreshToken()function.2- There is a lack of security: the purpose of
client_idandclient_secretis to provide a unique credential to 3rd party apps. By fetchingclient_idandclient_secretwithin your controller you are assuming that the 3rd party app is authorized. Any app which knows your login endpoint could perform a brute force attack and overload your database trying to attempt a login directly inuserstable.client_idandclient_secretshould be provided to the 3rd party apps and they should send those values via request.Saying that, you will have
$request->client_idand$request->client_secretto be used ingetTokenAndRefreshToken()