Authentication with JWT Laravel 5 without password

All we need is an easy explanation of the problem, so here it is.

I’m trying to learn Laravel and my goal is to be able to build a RESTful API (no use of views or blade, only JSON results. Later, an AngularJS web app and a Cordova hybrid mobile app will consume this api.

After some research, I’m inclining to choose JWT-Auth library for completely stateless benefit. My problem is: I have 2 main types of users: customers and moderators. Customers are not required to have a password. I need to be able to generate a token for access with the provided email only. If that email exists in the database and it belongs to a customer, it will generate and return the token.
If it exists and belongs to a moderator, it will return false so the interface can request a password. If the email doesn’t exist, it throws an invalid parameter error.

I read the docs here and it says it’s possible to use Custom Claims. But the docs doesn’t explain what are claims and what it means the array being passed as custom claims. I’d like some input on how to go about achieving what I explain above.

    <?php

namespace App\Http\Controllers;

use Illuminate\Http\Request;

use App\Http\Requests;
use App\Http\Controllers\Controller;
use JWTAuth;
use Tymon\JWTAuth\Exceptions\JWTException;


class AuthenticateController extends Controller
{

    public function authenticate(Request $request)
    {
        $credentials = $request->only('email', 'password');

        try {
            // verify the credentials and create a token for the user
            if (! $token = JWTAuth::attempt($credentials)) {
                return response()->json(['error' => 'invalid_credentials'], 401);
            }
        } catch (JWTException $e) {
            // something went wrong
            return response()->json(['error' => 'could_not_create_token'], 500);
        }

        // if no errors are encountered we can return a JWT
        return response()->json(compact('token'));
    }
}

Thanks you.

Update

Bounty’s code

public function authenticate(Request $request) { 
    $email = $request->input('email');
    $user = User::where('email', '=', $email)->first();
    try { 
        // verify the credentials and create a token for the user
        if (! $token = JWTAuth::fromUser($user)) { 
            return response()->json(['error' => 'invalid_credentials'], 401);
        } 
    } catch (JWTException $e) { 
        // something went wrong 
        return response()->json(['error' => 'could_not_create_token'], 500); 
    } 
    // if no errors are encountered we can return a JWT 
    return response()->json(compact('token')); 
}

How to solve :

I know you bored from this bug, So we are here to help you! Take a deep breath and look at the explanation of your problem. We have many solutions to this problem, But we recommend you to use the first method because it is tested & true method that will 100% work for you.

Method 1

try with this:

$user=User::where('email','=','[email protected]')->first();

if (!$userToken=JWTAuth::fromUser($user)) {
            return response()->json(['error' => 'invalid_credentials'], 401);
        }

return response()->json(compact('userToken'));

it works for me, hope can help

Method 2

Generating token for the customers (without password) can be achieved through

$user = \App\Modules\User\Models\UserModel::whereEmail('[email protected]')->first();
$userToken=JWTAuth::fromUser($user);

Here $userToken
will stores the token after existence check of email in the table configured in UserModel file.

I have assumed that you stores both customer and moderators in the same table, there must be some flag to discriminate among them. Assume the flag is user_type

$token = null;
$user = \App\Modules\User\Models\UserModel::whereEmail('[email protected]')->first();
if($user['user_type'] == 'customer'){
   $credentials = $request->only('email');
   $token =JWTAuth::fromUser($user);
}else if($user['user_type'] == 'moderator'){
   $credentials = $request->only('email','password');
   $token = JWTAuth::attempt($credentials);
}else{
   //No such user exists

}
return $token;

As far as custom claims are concerned these are custom defined payloads which can be attached to token string.

For example, JWTAuth::attempt($credentials,['role'=>1]); Will attempt to add role object to token payload.
Once you decode the token string through JWT Facade JWTAuth::parseToken()->getPayload(); you in turn get all payloads defined in required_claims under config/jwt.php with additional role payload.

Refer https://github.com/tymondesigns/jwt-auth/wiki/Creating-Tokens#creating-a-token-based-on-anything-you-like
Let me know in case you requires anything else.

Method 3

Rather than making a different login strategy for customers and moderators, you can add token authentication to both user type. this will makes your life easier and prepare for scalability.
In your api, you can just restrict moderator users to not have access to the api by sending

<?php
Response::json('error'=>'method not allowed')

Apart from this suggestion, I believe @Alimnjan code should work.

Method 4

If you don’t already have an App\User object, get it with something like

$user = App\User::find(1);

Generate the token using the fromUser() method of JWTAuth

$token = \JWTAuth::fromUser($user)

The above doesn’t authenticate the user, it only generates a JWT token. If you need to authenticate the user, then you have to add something like this

\JWTAuth::setToken($token)->toUser();

Note: Use and implement method 1 because this method fully tested our system.
Thank you 🙂

All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0

Leave a Reply