Protecting Laravel APIs with Passport and Implementing RBAC

Introduction

Laravel is a powerful PHP framework that simplifies API development, and Passport provides a full OAuth2 server implementation for secure authentication. In this guide, we will explore how to protect Laravel APIs using Passport and implement RBAC to control user access based on roles and permissions.

Step 1: Installing Laravel Passport

First, install Laravel Passport via Composer:

composer require laravel/passport

After installation, run the following commands to set up Passport:

php artisan migrate
php artisan passport:install

The passport:install command generates encryption keys and access tokens required for authentication.

Next, add the HasApiTokens trait to your User model:

use Laravel\Passport\HasApiTokens;
use Illuminate\Foundation\Auth\User as Authenticatable;

class User extends Authenticatable
{
    use HasApiTokens, Notifiable;
}

Then, register Passport’s routes in AuthServiceProvider.php:

use Laravel\Passport\Passport;

public function boot()
{
    $this->registerPolicies();
    Passport::routes();
}

Finally, set the driver option in config/auth.php for API authentication:

'guards' => [
    'api' => [
        'driver' => 'passport',
        'provider' => 'users',
    ],
],

Step 2: Creating API Authentication Routes

Define authentication routes in routes/api.php:

use App\Http\Controllers\AuthController;

Route::post('/register', [AuthController::class, 'register']);
Route::post('/login', [AuthController::class, 'login']);
Route::middleware('auth:api')->get('/user', function (Request $request) {
    return $request->user();
});

Implementing Authentication in AuthController

namespace App\Http\Controllers;

use Illuminate\Http\Request;
use App\Models\User;
use Illuminate\Support\Facades\Hash;
use Illuminate\Support\Facades\Auth;

class AuthController extends Controller
{
    public function register(Request $request)
    {
        $request->validate([
            'name' => 'required',
            'email' => 'required|email|unique:users',
            'password' => 'required|min:6',
        ]);

        $user = User::create([
            'name' => $request->name,
            'email' => $request->email,
            'password' => Hash::make($request->password),
        ]);

        return response()->json(['token' => $user->createToken('API Token')->accessToken]);
    }

    public function login(Request $request)
    {
        if (Auth::attempt(['email' => $request->email, 'password' => $request->password])) {
            return response()->json(['token' => Auth::user()->createToken('API Token')->accessToken]);
        }
        return response()->json(['error' => 'Unauthorized'], 401);
    }
}

Step 3: Implementing Role-Based Access Control (RBAC)

Step 3.1: Creating Migration and Models

Run the following command to create the roles and permissions tables:

php artisan make:migration create_roles_and_permissions_tables

Define the migration schema in database/migrations/{timestamp}_create_roles_and_permissions_tables.php:

Schema::create('roles', function (Blueprint $table) {
    $table->id();
    $table->string('name');
    $table->timestamps();
});

Schema::create('role_user', function (Blueprint $table) {
    $table->id();
    $table->foreignId('user_id')->constrained()->onDelete('cascade');
    $table->foreignId('role_id')->constrained()->onDelete('cascade');
    $table->timestamps();
});

Run the migration:

php artisan migrate

Step 3.2: Defining Role Relationships in Models

Role Model

namespace App\Models;

use Illuminate\Database\Eloquent\Model;

class Role extends Model
{
    protected $fillable = ['name'];

    public function users()
    {
        return $this->belongsToMany(User::class);
    }
}

User Model

class User extends Authenticatable
{
    public function roles()
    {
        return $this->belongsToMany(Role::class);
    }

    public function hasRole($role)
    {
        return $this->roles()->where('name', $role)->exists();
    }
}

Step 3.3: Middleware for Role Authorization

Create a middleware to check user roles:

php artisan make:middleware RoleMiddleware

Edit RoleMiddleware.php:

namespace App\Http\Middleware;

use Closure;
use Illuminate\Http\Request;
use Illuminate\Support\Facades\Auth;

class RoleMiddleware
{
    public function handle(Request $request, Closure $next, $role)
    {
        if (!Auth::user() || !Auth::user()->hasRole($role)) {
            return response()->json(['error' => 'Forbidden'], 403);
        }
        return $next($request);
    }
}

Register the middleware in Kernel.php:

protected $routeMiddleware = [
    'role' => \App\Http\Middleware\RoleMiddleware::class,
];

Step 3.4: Protecting API Routes

Modify routes/api.php to include RBAC:

Route::middleware(['auth:api', 'role:admin'])->group(function () {
    Route::apiResource('/cars', CarController::class);
});

Conclusion

Securing Laravel APIs with Passport ensures authenticated access, and implementing RBAC provides fine-grained control over user actions. By following this guide, you can effectively authenticate users and manage roles, enhancing the security of your Laravel applications.

For professional Laravel development and security solutions, check out Techliphant. Our experts can help you implement robust authentication and role-based access control in your Laravel projects, ensuring top-notch security and performance.

References

• Laravel Passport Documentation
• OAuth2 Authentication