Laravel API quickstart

[vcampitelli]

Adding Laravel API quickstart.

PS: this is a pretty long quickstart, so I tried something different and included some diffs instead of the whole files when we needed to change something that the Laravel project installer already created. Please let me know if you think that's not good and I'll include the whole files instead.

Closes FusionAuth/fusionauth-issues#2283

---

• To see the specific tasks where the Asana app for GitHub is being used, see below:
  • https://app.asana.com/0/0/1205101483756019

[vcampitelli]

@mooreds I've added our newly-published fusionauth/jwt-auth-webtoken-provider library so this is ready for another review. There's still a pending comment about passwords that I need your input.

[mooreds]

A few changes requested.

[vcampitelli]

@mooreds it seems that I didn't change the article after I started using the hosted backend 🤦 I've now rewritten some things.

[mooreds]

Hiya @vcampitelli . A few things:

• I made a few small wording changes and merged master in.
• Now that we have moved to the quickstarts page being managed by astro, please update this file with the laravel quickstart
• I know we went back and forth over how to get the token. I think what you have here is a bit confusing (you log into a page and then get an API result). But because of our move to v3 quickstarts, I'm not sure it is worth changing here.
• I don't see where you validate the JWT provided? We want to make sure people know to check the aud and iss claim, as well as verify the signature. What am I missing?

[vcampitelli]

@mooreds

I made a few small wording changes and merged master in.

Thanks! I also merged it again to update the quickstarts home page.

Now that we have moved to the quickstarts page being managed by astro, please update this file with the laravel quickstart

Done

I know we went back and forth over how to get the token. I think what you have here is a bit confusing (you log into a page and then get an API result). But because of our move to v3 quickstarts, I'm not sure it is worth changing here.

I don't get it why it is confusing. I'm logging in, grabbing the JWT from FusionAuth and passing it to the Laravel API to retrieve the messages. What should I have done differently?

I don't see where you validate the JWT provided? We want to make sure people know to check the aud and iss claim, as well as verify the signature. What am I missing?

The underlying tymon/jwt-auth library verifies the signature using JWKS. But we are not validating those claims. Do you think I should update our Laravel library to do that?

[mooreds]

I don't get it why it is confusing. I'm logging in, grabbing the JWT from FusionAuth and passing it to the Laravel API to retrieve the messages. What should I have done differently?

I think this will be okay for now, but the two ways we've done this for API quickstarts is:

• use the login api: https://fusionauth.io/docs/v1/tech/tutorials/integrate-ruby-rails-api#testing-the-api-flow to get a JWT
• use the hosted backend: https://fusionauth.io/docs/v1/tech/tutorials/integrate-dotnet-api#testing-the-api-flow and pass the JWT as a cookie that is read by the API.

You chose a third option, which is:

• create a page that uses JS to make a call that includes the cookie: https://raw.githubusercontent.com/FusionAuth/fusionauth-example-laravel-api/main/laravel/public/js/fusionauth.js

The underlying tymon/jwt-auth library verifies the signature using JWKS. But we are not validating those claims. Do you think I should update our Laravel library to do that?

Yes, we should at a minimum validate the iss and aud claims are what we expect them to be. Here's the guidance we give on validating JWTs: https://fusionauth.io/articles/tokens/building-a-secure-jwt#consuming-a-jwt

Our examples should follow it as best as we can. (I don't know any libraries that validate the typ header, though.)

[vcampitelli]

@mooreds

1. Yeah, you are right. I created it based on the .NET API quickstart, which uses this approach. The sad thing is that it's only being used to call the /me and /messages endpoints, as I'm actually using the cookies from the hosted backend. So I really mixed things up.
2. I've improved the app & docs to actually validate both aud and iss claims

[mooreds]

LGTM!

[mooreds]

@vcampitelli ship it!

🚢 🚢 🚢