|
1 | 1 | <?php |
2 | 2 |
|
3 | 3 | return [ |
4 | | - 'auth' => [ |
5 | | - 'enabled' => true |
| 4 | + /* |
| 5 | + |-------------------------------------------------------------------------- |
| 6 | + | FlightDeck Authorization |
| 7 | + |-------------------------------------------------------------------------- |
| 8 | + | |
| 9 | + | Enabling authorization (not to be confused with authentication), allows |
| 10 | + | your API to control who can access your API without the need of |
| 11 | + | using a traditional auth system with usernames and passwords |
| 12 | + | |
| 13 | + */ |
| 14 | + 'authorization' => [ |
| 15 | + 'enabled' => true, |
| 16 | + 'header' => 'X-Authorization', |
6 | 17 | ], |
7 | | - 'tokens' => [ |
8 | | - 'expire_days' => 30 |
9 | | - ], |
10 | | - 'cors' => [ |
11 | | - 'enabled' => true |
12 | | - ], |
13 | | - 'jwt' => [ |
14 | | - |
15 | | - /* |
16 | | - |-------------------------------------------------------------------------- |
17 | | - | JWT Authentication Secret |
18 | | - |-------------------------------------------------------------------------- |
19 | | - | |
20 | | - | Don't forget to set this in your .env file, as it will be used to sign |
21 | | - | your tokens. A helper command is provided for this: |
22 | | - | `php artisan jwt:secret` |
23 | | - | |
24 | | - | Note: This will be used for Symmetric algorithms only (HMAC), |
25 | | - | since RSA and ECDSA use a private/public key combo (See below). |
26 | | - | |
27 | | - */ |
28 | | - |
29 | | - 'secret' => env('JWT_SECRET'), |
30 | | - |
31 | | - /* |
32 | | - |-------------------------------------------------------------------------- |
33 | | - | JWT Authentication Keys |
34 | | - |-------------------------------------------------------------------------- |
35 | | - | |
36 | | - | The algorithm you are using, will determine whether your tokens are |
37 | | - | signed with a random string (defined in `JWT_SECRET`) or using the |
38 | | - | following public & private keys. |
39 | | - | |
40 | | - | Symmetric Algorithms: |
41 | | - | HS256, HS384 & HS512 will use `JWT_SECRET`. |
42 | | - | |
43 | | - | Asymmetric Algorithms: |
44 | | - | RS256, RS384 & RS512 / ES256, ES384 & ES512 will use the keys below. |
45 | | - | |
46 | | - */ |
47 | | - |
48 | | - 'keys' => [ |
49 | | - |
50 | | - /* |
51 | | - |-------------------------------------------------------------------------- |
52 | | - | Public Key |
53 | | - |-------------------------------------------------------------------------- |
54 | | - | |
55 | | - | A path or resource to your public key. |
56 | | - | |
57 | | - | E.g. 'file://path/to/public/key' |
58 | | - | |
59 | | - */ |
60 | | - |
61 | | - 'public' => env('JWT_PUBLIC_KEY'), |
62 | | - |
63 | | - /* |
64 | | - |-------------------------------------------------------------------------- |
65 | | - | Private Key |
66 | | - |-------------------------------------------------------------------------- |
67 | | - | |
68 | | - | A path or resource to your private key. |
69 | | - | |
70 | | - | E.g. 'file://path/to/private/key' |
71 | | - | |
72 | | - */ |
73 | | - |
74 | | - 'private' => env('JWT_PRIVATE_KEY'), |
75 | | - |
76 | | - /* |
77 | | - |-------------------------------------------------------------------------- |
78 | | - | Passphrase |
79 | | - |-------------------------------------------------------------------------- |
80 | | - | |
81 | | - | The passphrase for your private key. Can be null if none set. |
82 | | - | |
83 | | - */ |
84 | | - |
85 | | - 'passphrase' => env('JWT_PASSPHRASE'), |
86 | | - |
87 | | - ], |
88 | | - |
89 | | - /* |
90 | | - |-------------------------------------------------------------------------- |
91 | | - | JWT time to live |
92 | | - |-------------------------------------------------------------------------- |
93 | | - | |
94 | | - | Specify the length of time (in minutes) that the token will be valid for. |
95 | | - | Defaults to 1 hour. |
96 | | - | |
97 | | - | You can also set this to null, to yield a never expiring token. |
98 | | - | Some people may want this behaviour for e.g. a mobile app. |
99 | | - | This is not particularly recommended, so make sure you have appropriate |
100 | | - | systems in place to revoke the token if necessary. |
101 | | - | Notice: If you set this to null you should remove 'exp' element from 'required_claims' list. |
102 | | - | |
103 | | - */ |
104 | | - |
105 | | - 'ttl' => env('JWT_TTL', 60), |
106 | | - |
107 | | - /* |
108 | | - |-------------------------------------------------------------------------- |
109 | | - | Refresh time to live |
110 | | - |-------------------------------------------------------------------------- |
111 | | - | |
112 | | - | Specify the length of time (in minutes) that the token can be refreshed |
113 | | - | within. I.E. The user can refresh their token within a 2 week window of |
114 | | - | the original token being created until they must re-authenticate. |
115 | | - | Defaults to 2 weeks. |
116 | | - | |
117 | | - | You can also set this to null, to yield an infinite refresh time. |
118 | | - | Some may want this instead of never expiring tokens for e.g. a mobile app. |
119 | | - | This is not particularly recommended, so make sure you have appropriate |
120 | | - | systems in place to revoke the token if necessary. |
121 | | - | |
122 | | - */ |
123 | | - |
124 | | - 'refresh_ttl' => env('JWT_REFRESH_TTL', 20160), |
125 | | - |
126 | | - /* |
127 | | - |-------------------------------------------------------------------------- |
128 | | - | JWT hashing algorithm |
129 | | - |-------------------------------------------------------------------------- |
130 | | - | |
131 | | - | Specify the hashing algorithm that will be used to sign the token. |
132 | | - | |
133 | | - | See here: https://github.com/namshi/jose/tree/master/src/Namshi/JOSE/Signer/OpenSSL |
134 | | - | for possible values. |
135 | | - | |
136 | | - */ |
137 | | - |
138 | | - 'algo' => env('JWT_ALGO', 'HS256'), |
139 | | - |
140 | | - /* |
141 | | - |-------------------------------------------------------------------------- |
142 | | - | Required Claims |
143 | | - |-------------------------------------------------------------------------- |
144 | | - | |
145 | | - | Specify the required claims that must exist in any token. |
146 | | - | A TokenInvalidException will be thrown if any of these claims are not |
147 | | - | present in the payload. |
148 | | - | |
149 | | - */ |
150 | | - |
151 | | - 'required_claims' => [ |
152 | | - 'iss', |
153 | | - 'iat', |
154 | | - 'exp', |
155 | | - 'nbf', |
156 | | - 'sub', |
157 | | - 'jti', |
158 | | - ], |
159 | | - |
160 | | - /* |
161 | | - |-------------------------------------------------------------------------- |
162 | | - | Persistent Claims |
163 | | - |-------------------------------------------------------------------------- |
164 | | - | |
165 | | - | Specify the claim keys to be persisted when refreshing a token. |
166 | | - | `sub` and `iat` will automatically be persisted, in |
167 | | - | addition to the these claims. |
168 | | - | |
169 | | - | Note: If a claim does not exist then it will be ignored. |
170 | | - | |
171 | | - */ |
172 | 18 |
|
173 | | - 'persistent_claims' => [ |
174 | | - // 'foo', |
175 | | - // 'bar', |
176 | | - ], |
177 | | - |
178 | | - /* |
179 | | - |-------------------------------------------------------------------------- |
180 | | - | Lock Subject |
181 | | - |-------------------------------------------------------------------------- |
182 | | - | |
183 | | - | This will determine whether a `prv` claim is automatically added to |
184 | | - | the token. The purpose of this is to ensure that if you have multiple |
185 | | - | authentication models e.g. `App\User` & `App\OtherPerson`, then we |
186 | | - | should prevent one authentication request from impersonating another, |
187 | | - | if 2 tokens happen to have the same id across the 2 different models. |
188 | | - | |
189 | | - | Under specific circumstances, you may want to disable this behaviour |
190 | | - | e.g. if you only have one authentication model, then you would save |
191 | | - | a little on token size. |
192 | | - | |
193 | | - */ |
194 | | - |
195 | | - 'lock_subject' => true, |
196 | | - |
197 | | - /* |
198 | | - |-------------------------------------------------------------------------- |
199 | | - | Leeway |
200 | | - |-------------------------------------------------------------------------- |
201 | | - | |
202 | | - | This property gives the jwt timestamp claims some "leeway". |
203 | | - | Meaning that if you have any unavoidable slight clock skew on |
204 | | - | any of your servers then this will afford you some level of cushioning. |
205 | | - | |
206 | | - | This applies to the claims `iat`, `nbf` and `exp`. |
207 | | - | |
208 | | - | Specify in seconds - only if you know you need it. |
209 | | - | |
210 | | - */ |
211 | | - |
212 | | - 'leeway' => env('JWT_LEEWAY', 0), |
213 | | - |
214 | | - /* |
215 | | - |-------------------------------------------------------------------------- |
216 | | - | Blacklist Enabled |
217 | | - |-------------------------------------------------------------------------- |
218 | | - | |
219 | | - | In order to invalidate tokens, you must have the blacklist enabled. |
220 | | - | If you do not want or need this functionality, then set this to false. |
221 | | - | |
222 | | - */ |
223 | | - |
224 | | - 'blacklist_enabled' => env('JWT_BLACKLIST_ENABLED', true), |
225 | | - |
226 | | - /* |
227 | | - | ------------------------------------------------------------------------- |
228 | | - | Blacklist Grace Period |
229 | | - | ------------------------------------------------------------------------- |
230 | | - | |
231 | | - | When multiple concurrent requests are made with the same JWT, |
232 | | - | it is possible that some of them fail, due to token regeneration |
233 | | - | on every request. |
234 | | - | |
235 | | - | Set grace period in seconds to prevent parallel request failure. |
236 | | - | |
237 | | - */ |
238 | | - |
239 | | - 'blacklist_grace_period' => env('JWT_BLACKLIST_GRACE_PERIOD', 0), |
240 | | - |
241 | | - /* |
242 | | - |-------------------------------------------------------------------------- |
243 | | - | Cookies encryption |
244 | | - |-------------------------------------------------------------------------- |
245 | | - | |
246 | | - | By default Laravel encrypt cookies for security reason. |
247 | | - | If you decide to not decrypt cookies, you will have to configure Laravel |
248 | | - | to not encrypt your cookie token by adding its name into the $except |
249 | | - | array available in the middleware "EncryptCookies" provided by Laravel. |
250 | | - | see https://laravel.com/docs/master/responses#cookies-and-encryption |
251 | | - | for details. |
252 | | - | |
253 | | - | Set it to true if you want to decrypt cookies. |
254 | | - | |
255 | | - */ |
256 | | - |
257 | | - 'decrypt_cookies' => false, |
258 | | - |
259 | | - /* |
260 | | - |-------------------------------------------------------------------------- |
261 | | - | Providers |
262 | | - |-------------------------------------------------------------------------- |
263 | | - | |
264 | | - | Specify the various providers used throughout the package. |
265 | | - | |
266 | | - */ |
267 | | - |
268 | | - 'providers' => [ |
269 | | - |
270 | | - /* |
271 | | - |-------------------------------------------------------------------------- |
272 | | - | JWT Provider |
273 | | - |-------------------------------------------------------------------------- |
274 | | - | |
275 | | - | Specify the provider that is used to create and decode the tokens. |
276 | | - | |
277 | | - */ |
278 | | - |
279 | | - 'jwt' => Tymon\JWTAuth\Providers\JWT\Lcobucci::class, |
280 | | - |
281 | | - /* |
282 | | - |-------------------------------------------------------------------------- |
283 | | - | Authentication Provider |
284 | | - |-------------------------------------------------------------------------- |
285 | | - | |
286 | | - | Specify the provider that is used to authenticate users. |
287 | | - | |
288 | | - */ |
289 | | - |
290 | | - 'auth' => Tymon\JWTAuth\Providers\Auth\Illuminate::class, |
291 | | - |
292 | | - /* |
293 | | - |-------------------------------------------------------------------------- |
294 | | - | Storage Provider |
295 | | - |-------------------------------------------------------------------------- |
296 | | - | |
297 | | - | Specify the provider that is used to store tokens in the blacklist. |
298 | | - | |
299 | | - */ |
300 | | - |
301 | | - 'storage' => Tymon\JWTAuth\Providers\Storage\Illuminate::class, |
302 | | - |
303 | | - ], |
| 19 | + /* |
| 20 | + |-------------------------------------------------------------------------- |
| 21 | + | FlightDeck Authentication |
| 22 | + |-------------------------------------------------------------------------- |
| 23 | + | |
| 24 | + | Enabling authentication adds routes for login, password resetting |
| 25 | + | and registration. By default we use JWT |
| 26 | + | |
| 27 | + */ |
| 28 | + 'authentication' => [ |
| 29 | + 'enabled' => true, |
| 30 | + ], |
304 | 31 |
|
| 32 | + 'tokens' => [ |
| 33 | + 'expire_days' => 30, |
305 | 34 | ], |
306 | 35 |
|
| 36 | + /* |
| 37 | + |-------------------------------------------------------------------------- |
| 38 | + | Cross-Origin Resource Sharing (CORS) |
| 39 | + |-------------------------------------------------------------------------- |
| 40 | + | |
| 41 | + | If you consume your API from a different domain, you will need to |
| 42 | + | enable CORS to be able to access it |
| 43 | + | |
| 44 | + */ |
| 45 | + 'cors' => [ |
| 46 | + 'enabled' => true, |
| 47 | + ], |
307 | 48 | ]; |
0 commit comments