Without using auth middleware, how to get user id by token?

Question

In Laravel 5.4, using oauth2/passport, I've a route that is public - so I don't use middleware auth.

This route is accessed by users logged in and not logged in.

I want to take the user id o who is accessing this route (if is logged in). Without pass the user id by parameter or something like this, is it possible (just with token)?

I can get user token by:

$access_token = $request->header('Authorization');

And return like this:

"Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImp0aSI6IjlmZGIwZGM0MzgyZjI4MzNjZTJkMzk5M2M2NzBmYWZiNWE3ZTdiODhhZGE4NWY0OTBhYmI5MGFjMjExODAyNzIwYTBmYzczOTJjM2YyZTdjIn0.eyJhdWQiOiIyIiwianRpIjoiOWZkYjBkYzQzODJmMjgzM2NlMmQzOTkzYzY3MGZhZmI1YTdlN2I4OGFkYTg1ZjQ5MGFiYjkwYWMyMTE4MDI3MjBhMGZjNzM5MmMzZjJlN2MiLCJpYXQiOjE0ODc4NTU2MTYsIm5iZiI6MTQ4Nzg1NTYxNiwiZXhwIjoxNDg3OTQyMDE2LCJzdWIiOiIxIiwic2NvcGVzIjpbIioiXX0.sdHNQ_bDGtO3lGBwtmlZfkSdYkaUsYSabaY93894Fw4l3z_wU5d7xsfNj6LoK8lPXBTFAhoFf7SjtuQ0F_T6lst0ADwEmc_fLTH1dsTkHq6BdOLr3Ur6dLrbYOqihHG0FhJ6HaUtanbRBBeuK33aVUwuUkCwVkrLgxK6OYEwcq97aU1Cuy3jHOfOB88VAuJ42kwtScpXzi0Oo6zlCxyGAmBlEMWdcSBEkI4vRR-cJdaWsRVZ--671i1Gw5jOhXtN0HS_HMNSf9WWgiUDAyhe1mvlW4eZbTDfg2Al34YauJ_rpPSCw6vwnvpqp9Yvh9Vl0r1k8o_bm_2-NjiVINqdRALmaORbFGu2S9CJso5Jcio_jrWSzznIkf6Jopw9ar8Ca_Cf_KV6cmLOOx2XgWXV7WMCkSIPQXFXrtxE4hnfXEd8K5S5HLgch0hPgJPpgL91x1i73MP1gQyYoWNFCip9cDDlDvPO1zG28O12c4H4bsdy1jaaOOOv34yECfgA87RIFCbGtrzd_9QBXDse51L1IFJu8B6sotyk_4QcGcKSWzOPjI8L2_xhPIG54qk0lzqNWeVHo2UbNpBB6u2OJnszKC44BH5hneYoTbqMGK_1Uo2jR14XixvBlZydXXquuTmDVoBj2ygfjlnZ6UWJenQIO_bLEkF2iaWcgbOhJ6S197k"

I don't know how to locate user by this token.

Answer 1

You don't need the auth middleware to be enabled. You can use auth('api')->user() to get the active user. It will be null if no token is present.

Answer 2

To get the user by the token, you need to understand what the token is.

The token is broken up into three base64 encoded parts: the header, the payload, and the signature, separated by periods. In your case, since you're just wanting to find the user, you just need the header

To get the header, you can do something like this:

// break up the string to get just the token
$auth_header = explode(' ', $access_token);
$token = $auth_header[1];
// break up the token into its three parts
$token_parts = explode('.', $token);
$token_header = $token_parts[0];

// base64 decode to get a json string
$token_header_json = base64_decode($token_header);
// you'll get this with the provided token:
// {"typ":"JWT","alg":"RS256","jti":"9fdb0dc4382f2833ce2d3993c670fafb5a7e7b88ada85f490abb90ac211802720a0fc7392c3f2e7c"}

// then convert the json to an array
$token_header_array = json_decode($token_header_json, true);

Once you have this, you can find the user's token in the jti key:

$user_token = $token_header_array['jti'];

And you can get the user using that:

// find the user ID from the oauth access token table
// based on the token we just got
$user_id = DB::table('oauth_access_tokens')->where('id', $user_token)->value('user_id');

// then retrieve the user from it's primary key
$user = User::findOrFail($user_id);

More info on jwt's.