Implement an Auth guard for FusionAuth JWTs in Laravel.
It ships with also a middleware to check against the user role.
You can install the package via composer:
composer require danilopolani/laravel-fusionauth-jwt
Then publish its config file:
php artisan vendor:publish --tag=fusionauth-jwt-config
There are a few notable configuration options for the package.
Key | Type | Description |
---|---|---|
domain |
String | Your FusionAuth domain, e.g. auth.myapp.com or sandbox.fusionauth.io . |
client_id |
String | The Client ID of the current application. |
client_secret |
String | The Client Secret of the current application. |
issuers |
Array | A list of authorized issuers for the incoming JWT. |
audience |
String | Null | The ID/Name of the authorized audience. If null, the Client ID will be used. |
supported_algs |
Array | The supported algorithms of the JWT. Supported: RS256 and HS256 . |
default_role |
String | Null | The default role to be checked if you're using the CheckRole middleware. |
To start protecting your APIs you need to add the Guard and the Auth Provider to your config/auth.php
configuration file:
'guards' => [
// ...
'fusionauth' => [
'driver' => 'fusionauth',
'provider' => 'fusionauth',
],
],
'providers' => [
// ...
'fusionauth' => [
'driver' => 'fusionauth',
],
],
Then you can use the auth:fusionauth
guard to protect your endpoints; you can apply it to a group or a single route:
// app\Http\Kernel.php
protected $middlewareGroups = [
'api' => [
'auth:fusionauth',
// ...
],
];
// or routes/api.php
Route::get('users', [UserController::class, 'index'])
->middleware('auth:fusionauth');
Now requests for those endpoints will check if the given JWT (given as Bearer token) is valid.
To retrieve the current logged in user - or to check if it's logged in - you can use the usual Auth
facade methods, specifying the fusionauth
guard:
Auth::guard('fusionauth')->check();
/** @var \DaniloPolani\FusionAuthJwt\FusionAuthJwtUser $user */
$user = Auth::guard('fusionauth')->user();
The package ships with a handy middleware to check for user role (stored in the roles
key).
You can apply it on a middleware group inside the Kernel.php
or to specific routes:
// app\Http\Kernel.php
protected $middlewareGroups = [
'api' => [
'auth:fusionauth',
\DaniloPolani\FusionAuthJwt\Http\Middleware\CheckRole::class,
// ...
],
];
// or routes/api.php
Route::get('users', [UserController::class, 'index'])
->middleware(['auth:fusionauth', 'fusionauth.role']);
By default the middleware will check that the current user has the default_role
specified in the configuration file, but you can use as well a specific role, different from the default:
// routes/api.php
Route::get('users', [UserController::class, 'index'])
->middleware(['auth:fusionauth', 'fusionauth.role:admin']);
For more complex cases we suggest you to take a look on how the CheckRole
middleware is written (using the RoleManager
class) and write your own.
When you need to test your endpoints in Laravel, you can take advantage of the actingAs
method to set the current logged in user.
You can pass any property you want to the FusionAuthJwtUser
class, like email
, user
etc. Take a look at this example where we specify the user roles:
use DaniloPolani\FusionAuthJwt\FusionAuthJwtUser;
$this
->actingAs(
new FusionAuthJwtUser([
'roles' => ['user', 'admin'],
]),
'fusionauth',
)
->get('/api/users')
->assertOk();
If you need to set the authenticated user outside HTTP testing (therefore you can't use actingAs()
), you can use the setUser()
method of the Auth
facade:
use DaniloPolani\FusionAuthJwt\FusionAuthJwtUser;
use Illuminate\Support\Facades\Auth;
Auth::guard('fusionauth')->setUser(
new FusionAuthJwtUser([
'roles' => ['user', 'admin'],
])
);
Please see CHANGELOG for more information what has changed recently.
Please see CONTRIBUTING for details.
If you discover any security related issues, please email [email protected] instead of using the issue tracker.
The MIT License (MIT). Please see License File for more information.
This package was generated using the Laravel Package Boilerplate.