A Laravel 5.8 API Boilerplate to create a ready-to-use REST API in seconds.

In the documentation api.auth is used as middleware, but in the routes/api.php file jwt.auth is written, which one is the correct one to use?

Creating a token goes perfect, but when I try to get the '/protected' route in routes/api.php I get the following errors.

When my route middleware is

$api->group(['middleware' => 'jwt.auth'], function(Router $api) {

// token_invalid

When my route middleware is api.auth

$api->group(['middleware' => 'api.auth'], function(Router $api) {

// Token Signature could not be verified.

I'm trying to refresh the token from React, using the (get) /api/refresh route but it's giving me the following error

{"error":{"message":"Token has expired","status_code":401}}

I am sending the current (expired) token using

{headers: {'Authorization': Bearer ${token}}}

Any idea what's happening here?

Hi @francescomalatesta,

I've migrated this boilerplate to my Laravel Forge environment (via git). First I needed to manually add the following folders to mitigate the first problems:

• ./bootstrap/cache
• ./storage/framework/cache (excluded services.php file)

The api routes seem to be functioning.

The only resulting error when visiting the app root welcome url is:

InvalidArgumentException in Compiler.php line 36:
Please provide a valid cache path.

Any clue how to fix this?

I've used the environment included below (masked some sensitive info with <...>):

APP_URL=<...>
APP_KEY=base64:<...>
APP_LOCALE=nl
APP_ENV=production
# APP_ENV=local
APP_DEBUG=true

DB_USERNAME=<...>
DB_PASSWORD=<...>
DB_DATABASE=<...>

CACHE_DRIVER=file
SESSION_DRIVER=file
QUEUE_DRIVER=sync

# MAIL_DRIVER=mailgun
# MAILGUN_DOMAIN=<...>
# MAILGUN_SECRET=<...>

API_PREFIX=api
API_VERSION=v1
API_STRICT=false
API_DEBUG=false

API_SIGNUP_TOKEN_RELEASE=true
API_RESET_TOKEN_RELEASE=true
[email protected]

Project contains composer.lock file and after execute composer install I have following errors:

 Problem 1
    - Installation request for doctrine/annotations v1.5.0 -> satisfiable by doctrine/annotations[v1.5.0].
    - doctrine/annotations v1.5.0 requires php ^7.1 -> your PHP version (7.0.22) does not satisfy that requirement.
  Problem 2
    - Installation request for doctrine/instantiator 1.1.0 -> satisfiable by doctrine/instantiator[1.1.0].
    - doctrine/instantiator 1.1.0 requires php ^7.1 -> your PHP version (7.0.22) does not satisfy that requirement.
  Problem 3
    - doctrine/annotations v1.5.0 requires php ^7.1 -> your PHP version (7.0.22) does not satisfy that requirement.
    - dingo/blueprint v0.2.3 requires doctrine/annotations ~1.2 -> satisfiable by doctrine/annotations[v1.5.0].
    - Installation request for dingo/blueprint v0.2.3 -> satisfiable by dingo/blueprint[v0.2.3].

but minimal version of php in composer.json is 7.0.0.

I found out that here

$api->group(['middleware' => 'jwt.auth'], function(Router $api){

    $api->get('protected', function() {

            return response()->json([
                'message' => 'Access to this item is only for authenticated user. Provide a token in your request!'
            ]);
        });
        $api->get('refresh', [
            'middleware' => 'jwt.refresh',
            function() {
                return response()->json([
                    'message' => 'By accessing this endpoint, you can refresh your access token at each request. Check out this response headers!'
                ]);
            }
        ]);
});

jwt.refresh middleware is inside jwt.auth middleware, so when I try to refresh expired key I'm getting "token_expired" response, I think that refresh route have to be outside jwt.auth middleware group.

How do I change my credentials? For example, currently it considers email and password, I would like to switch to login and password, how do I do this?

I've added CORS in the relevant places:

Kernal.php

`protected $routeMiddleware = [ 'auth' => \Illuminate\Auth\Middleware\Authenticate::class, 'auth.basic' => \Illuminate\Auth\Middleware\AuthenticateWithBasicAuth::class, 'bindings' => \Illuminate\Routing\Middleware\SubstituteBindings::class, 'can' => \Illuminate\Auth\Middleware\Authorize::class, 'guest' => \App\Http\Middleware\RedirectIfAuthenticated::class, 'throttle' => \Illuminate\Routing\Middleware\ThrottleRequests::class, 'cors' => \Barryvdh\Cors\HandleCors::class, // HERE

    'jwt.auth' => GetUserFromToken::class,
    'jwt.refresh' => RefreshToken::class,
];`

And routes/api.php

$api->version('v1', ['middleware' => 'cors'], function (Router $api) {

And I've configured cors to only allow from http://google.com (as a test, to make sure it works)

config/cors.php

'supportsCredentials' => false, 'allowedOrigins' => ['http://google.com'], 'allowedHeaders' => ['*'], 'allowedMethods' => ['*'], 'exposedHeaders' => [], 'maxAge' => 0, 'hosts' => [],

However it's not throwing an error when making requests, like i'd expect it too.

Am I missing something here?

Hi, I'm building an api to authenticate my users through my mobile application The login controller return me the correct token.

<?php

namespace App\Api\V1\Controllers;

use Symfony\Component\HttpKernel\Exception\HttpException;
use Tymon\JWTAuth\JWTAuth;
use App\Http\Controllers\Controller;
use App\Api\V1\Requests\LoginRequest;
use Tymon\JWTAuth\Exceptions\JWTException;
use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;

class LoginController extends Controller
{
    public function login(LoginRequest $request, JWTAuth $JWTAuth)
    {
        $credentials = $request->only(['username', 'password']);

        try {
            $token = $JWTAuth->attempt($credentials);

            if(!$token) {
                throw new AccessDeniedHttpException();
            }

        } catch (JWTException $e) {
            throw new HttpException(500);
        }

        return response()
            ->json([
                'status' => 'ok',
                'token' => $token
            ]);
    }
}

Postman result

{
  "token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOjEsImlzcyI6Imh0dHBzOlwvXC9iZXRhZmlsZS5vcmdcL2dpcHNcL3B1YmxpY1wvYXBpXC9hdXRoXC9sb2dpbiIsImlhdCI6MTQ5Mjc4MDI2NiwiZXhwIjoxNDkyNzgzODY2LCJuYmYiOjE0OTI3ODAyNjYsImp0aSI6InZHWkxaNHNqRUlqYW05WTMifQ.g8_-qHsVVvCEj9_BoqDCKJ9QHvm-yqWALsXmxeMK_3c"
}

Now when I tried to get the current user by token I get the signature error User controller

<?php

namespace App\Api\V1\Controllers;

use JWTAuth;
use App\Record;
use App\Http\Requests;
use Illuminate\Http\Request;
use Dingo\Api\Routing\Helpers;
use App\Http\Controllers\Controller;
use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;

class RecordController extends Controller
{
    use Helpers;

    public function store(Request $request) {
    	//$record = new Record;
    	//return $this->currentUser();
    	$currentUser = JWTAuth::parseToken()->authenticate();
    	return $currentUser;

    }

    private function currentUser() {
    	return JWTAuth::parseToken()->authenticate();
    }
}

Postman result
{
  "error": {
    "message": "Token Signature could not be verified.",
    "status_code": 500
  }
}

I already try by pass the token by url domain.com/api/auth?token=token_key and by header Authorization Bearer token_key

Also I have the jwt secret inside config/jwt.php 'secret' => env('jwt_secret') and inside .env JWT_SECRET=jwt_secret

Any tip to help to solve this issue?

Thanks

POST on /auth/recovery returns:

REQUEST:

POST /auth/recovery HTTP/1.1
Content-Type: application/json
Host: api.dev
Connection: close
User-Agent: Paw/2.3.1 (Macintosh; OS X/10.12.1) GCDHTTPRequest
Content-Length: 35

{"email":"[email protected]"}

RESPONSE:

{
  "message": "Expected response code 250 but got code \"530\", with message \"530 5.7.1 Authentication required\r\n\"",
  "code": 530,
  "status_code": 500
}

I'm doing something wrong?

@francescomalatesta Hi! Thank you for sharing your project with us!

I created an application in AngularJS and I'm trying to make calls to the Laravel API: MyApp (AngularJS): http://localhost:8080/ API (Laravel Boilerplate): http://localhost:8000/

But I get this error in the browser console:

XMLHttpRequest cannot load http://localhost:8000/api/auth/login. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:8080' is therefore not allowed access.

I tried to apply the cors middleware (barryvdh/laravel-cors) in api_routes.php but the error remains. I am using the Angle Satellizer to login.

api_routes.php:

<?php

$api = app('Dingo\Api\Routing\Router');

$api->version('v1', ['middleware' => 'cors'], function ($api) {

    $api->post('auth/login', 'App\Api\V1\Controllers\AuthController@login');
    $api->post('auth/signup', 'App\Api\V1\Controllers\AuthController@signup');
    $api->post('auth/recovery', 'App\Api\V1\Controllers\AuthController@recovery');
    $api->post('auth/reset', 'App\Api\V1\Controllers\AuthController@reset');

    // example of protected route
    $api->get('protected', ['middleware' => ['api.auth'], function () {     
        return \App\User::all();
    }]);

    // example of free route
    $api->get('free', function() {
        return \App\User::all();
    });

});

My config/cors.php:

return [
    'supportsCredentials' => false,
    'allowedOrigins' => ['*'],
    'allowedHeaders' => ['*'],
    'allowedMethods' => ['*'],
    'exposedHeaders' => [],
    'maxAge' => 0,
    'hosts' => [],
];

Error:

i am geting two responses when signing up a 200 response and a 201 response the 200 is {status: "ok"} and the 201 is {status: "ok", token: "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOjMsI…YzIn0.Kr1UZwp1P1Z84JlQThrb_ewot5kvBTXxWDkNd0cXfad"}

Would be cool to have a OpenAPI integration. Like the one here that I made yesterday: https://crocodile2u.github.io/blog/2020/03/13/laravel-api-boilerplate-jwt-openapi

Hi everyone....

I am facing the an issue when I am trying to do a password reset. I am passing the required parameters in postman body. Upon tracing, I have found that when API is called in response it gets password.passwords instead of getting password.reset. and at the end hits throw new HttpException(500); . I am following all the steps but it seems that something is missing would really appreciate any help on this one.. .