Auth safety

[EnelKyss]

Hey, I think using token based auth isnt the best practice for frontend. The safer option here is session based auth. Would be great if you could add a possibility to chose between those two... Token based auth is more for server to server communications

[k2so-dev]

Hi. This is a very reasonable idea. The ability to select authorization during installation would really make the project more versatile. I agree that in some scenarios, session-based authorization is safer than token-based.

At the moment, the choice in favor of Token-Based is due to the simplicity and speed of working with the API. For simple sites, this is a completely safe option, since the token is installed manually in the header via JS, which eliminates the possibility of CSRF attacks via <form> or <img>, and does not require additional protection via CSRF-TOKEN.

[EnelKyss]

Yeah of course CSRF is aight, but it is vulnerable to XSS.

[k2so-dev]

OK, I’ll add this functionality in the next couple of weeks.

[mubaidr]

Is there any reason not to use https://nuxt.com/modules/nuxt-auth-sanctum?

[k2so-dev]

@mubaidr The module you suggested is very good for SPA mode, maybe I would integrate it in the future. But for now the reason is local proxying of api requests to laravel, which are needed in ssr mode. Unfortunately, this module only supports external api url, as a result of which at the moment there are problems with the reliability of determining the client's IP address.

[EnelKyss]

I am actually struggling making it session based auth, could you suggest what to change or where might be the issue? All post requests are invalid eventhough i am sending there the xsrf and cookies...

[k2so-dev]

There are a few things you can do:

1. In the .env file, change AUTH_GUARD to web
2. Move the routes from routes/api.php to routes/web.php.
3. In the bootstrap/app.php file, add to the parameter in the withRouting function:

web: __DIR__.'/../routes/web.php',

4. In the database, in the roles table, change the values ​​of the guard_name field to web.

[EnelKyss]

the issue now is that when trying to load users data using its session/cookies in ssr, it wont proceed. like the session was missing or something I have no idea. but if I do the same request from on client side, it works... How to fix this?
** edit
I want to be able to fetch users data / maybe some other data as well during ssr as the response time in ssr is much faster than on client side