Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Access files in storage folder only through Auth Middleware and Token based authentication

I have following folder in my Laravel website.

/storage/Asset/Media

This folder can have info like below

/storage/Asset/Media/1/abc.png

/storage/Asset/Media/2/abc.png

Here 1 or 2 is the folder names.

I have following code to secure the folder so that nobody can access the folder without authentication

Route::group(['middleware' => ['web', 'auth']], function () {
    Route::get('/storage/Asset/Media/{ID}/{eded}', array(
        'as' => 'Files',
        'uses' => 'User\Account\Media\MediaController@DownloadMedia',
    ));
});

so in this way nobody can access the files until user's session is not expired in a browser.

Issue is in Android, so now nobody can access the files due to Auth Middleware.

Can somebody suggest the approach such that, files can be accessible to download via Token Based Authentication(through Android) and also using Auth Controller(through Website)?

like image 244
Pankaj Avatar asked May 22 '16 08:05

Pankaj


People also ask

What does auth Middleware do?

Using the Auth Middleware Middlewares provide a convenient mechanism for filtering HTTP requests entering your application. For example, Laravel includes a middleware that verifies the user of your application is authenticated. If the user is not authenticated, the middleware will redirect the user to the login screen.

How do you use auth Middleware in Laravel API?

Please run php artisan make:middleware UserAccessible on your terminal. After run above artisan command, you will see generated a file named UserAccessible. php in the App/Http/Middleware folder. Route::group(['middleware' => ['auth:api', 'user_accessible']], function () { // your protected routes. });

What is Sanctum authentication?

Introduction. Laravel Sanctum provides a featherweight authentication system for SPAs (single page applications), mobile applications, and simple, token based APIs. Sanctum allows each user of your application to generate multiple API tokens for their account.


1 Answers

You don't need to use any other config in routes.php, everything will work just fine if You follow this guide:

The easiest solution would be to create column named api_token is users table. Then when trying to access resource from android device, just add ?api_token=<token> to Your URL, where <token> is a api_token column in Your users table.

For example: domain.com/storage/Asset/Media/1/2?api_token=123hello4secret

System will try to search for user record with api_token == 123hello4secret, so just put that 123hello4secret into Your user api_token field.


If You wonder why You should api_token as column name, the answer is here: https://github.com/laravel/framework/blob/2a38acf7ee2882d831a3b9a1361a710e70ffa31e/src/Illuminate/Auth/TokenGuard.php#L45 Laravel will try to authorize You using api_token if it is found in request fields.


Also You can use HTTP headers to authorize with token:
Header example:

Authorization: Bearer 123hello4secret
like image 152
Giedrius Kiršys Avatar answered Oct 11 '22 00:10

Giedrius Kiršys