问题
I tried to find where the token returned by the method $user->createToken('MyApp')->accessToken; is stored on the database but I can't seem to find it. Is it stored in the server in the first place? If so, where?
If it's not stored on the server because it's self-contained, why did Laravel's developers put $table->rememberToken(); in the default create_users_table.php migration? What's the purpose of the column remember_token?
Thank you for your help.
回答1:
I guess you could say that some part of the token is stored in the database.
The token returned is JWT (JSON Web Token). Encoded in it is information about the token, like its expiration time, the algorithm used to hash it, the token scopes and its ID (in the payload it's named jti). That ID is what's stored in the oauth_access_tokens table.
In this method in the \Laravel\Passport\PersonalAccessTokenFactory::findAccessToken class you can see how Laravel is checking if the token is in the database:
/**
* Get the access token instance for the parsed response.
*
* @param array $response
* @return Token
*/
protected function findAccessToken(array $response)
{
return $this->tokens->find(
$this->jwt->parse($response['access_token'])->getClaim('jti')
);
}
If you get a valid token and paste it in this online tool you will see the structure of it. Here's how it looks:
Now, knowing the expected format of the payload, if you play around a bit with this information and the data you have in your oauth_access_tokens (id, scope, creation and expiration date) you should be able to create a valid token.
回答2:
Remember token in user table is for "Remember Me" when you log in on web. Laravel: What is “remember_token” in the “users” DB table?
If you use passport and create API you can find token id in oauth_access_tokens in database.
回答3:
No, the access token value is not stored anywhere. If you lose it, it's gone. You'll need to regenerate a new token.
The rememeber_token field is for the "Remember Me" functionality for normal web authentication. It is not related to Passport API authentication at all.
来源:https://stackoverflow.com/questions/50254237/laravel-passport-are-apis-tokens-stored-on-the-server-and-where