Learning About Auth, ft. Laravel
Just a quick summary post about what I learned about user authentication and authorization today, especially in the context of Laravel, a popular full stack web framework.
This post was initially meant to be for my reference, but I decided to publish it; it might be helpful to developers who are considering learning Laravel, or have recently started learning it.
Just a heads up: this post assumes some knowledge of basic web dev and networking.
Auth in Laravel
There are generally a couple of ways to do auth on the internet:
- Session-based auth - storing the user's session (login state + other small data) on the server, with corresponding cookies on the client
- Token-based auth - storing the session not on the server, but with the client, in the form of JWT tokens
Now, there are a few different packages Laravel offers to abstract the tedious stuff away, and their names were very confusing to me at first. Which package does what? Which starter kit includes what? It's especially confusing for someone new to web dev like me.
So here's a quick rundown:
Sanctum and Fortify are packages that offer headless authentication scaffolding for Laravel projects. Headless, meaning they take care of almost everything except the UI, which is left to you.
The Sanctum package handles authentication of API requests via both of these types. It first checks for a session cookie (session based auth), and if none is found, checks the Authorization header of the HTTP request for a valid API token (token based auth). Nice.
Fortify builds upon Sanctum by generating API routes, controllers, and additional logic such as password reset, two-factor authentication etc.
Starter kits
Laravel's starter kits build upon the auth packages. They add authentication UI (login, register etc.) and other features to provide a solid starting point for web apps that need user accounts.
The Breeze starter kit adds UI to a basic implementation of Sanctum's authentication, along with its own implementation of user registration, password reset, etc. It's a good foundation for most B2C apps.
The Jetstream starter kit also uses Sanctum and adds UI for the auth. However, it uses the higher level Fortify for features like two-factor authentication, password reset and more. It also adds other features relevant to B2B apps.
Implementing auth in a cross-platform app
Session-based auth is pretty standard and straightforward for web apps. Mobile apps though? Apparently they're better off with token-based auth.
Since both starter kits use Sanctum under the hood, we can use Sanctum's token-based auth for API requests on mobile.
The reason for using token-based auth seems to be because mobile OSs have more secure ways (like Keychain on iOS) to store auth state compared to browsers (where it's usually stored in an HTTP cookie - not as secure). Also, managing a cookie and sessions across both web and mobile can apparently be more complex.
The result? It's easier to just go with token-based auth on mobile, for which there is are standard, fairly straightforward processes.
Still new to this
I just learned all that, so I can't guarantee what I've written is 100% correct. I plan to update this post to make any corrections if needed, and write follow-up posts as I learn more.
Learning a full stack framework is forcing me to understand some of the core mechanisms of the web. Feels like progress.