laravel / airlock – легковесная система аутентификации для SPA и простых API

use App\\User;
use Illuminate\\Http\\Request;
use Illuminate\\Support\\Facades\\Hash;
use Illuminate\\Validation\\ValidationException;

Route::post('/airlock/token', function (Request $request) {
    $request->validate([
        'email' => 'required|email',
        'password' => 'required',
        'device_name' => 'required'
    ]);

    $user = User::where('email', $request->email)->first();

    if (! $user || ! Hash::check($request->password, $user->password)) {
        throw ValidationException::withMessages([
            'email' => ['The provided credentials are incorrect.'],
        ]);
    }

    return $user->createToken($request->device_name)->plainTextToken;
});

https://github.com/laravel/airlock

Защищаемся от xcrf на php

$secretkey = date("m.d.y");
//убераем авторизированный токен
setcookie ("token", '', time() - 12200);
//ставим токен авторизированный
setcookie ("token", sha1($username.$secretkey), time() + 12200);

if (!isset($_COOKIE['token'])) {
    //нет токена = умри!
    die();
} else {
    if ( sha1($_COOKIE['user'].$secretkey) !== $_COOKIE['token'] ) {
        setcookie ("user", "", time() - 3600);
        setcookie ("token", "", time() - 3600);
        show_login("Please Login");
        die();
    }
}
Scroll Up