loading...

Laravel Lighthouse Sanctum role based authorization best practices

wolfiton profile image wolfiton ・1 min read

Hi everyone,

I am looking to understand if my following statement is te correct way to implement authorization using sanctum with graphql:

Now for the tricky part, once I create a login mutation, I need to verify that the user has the corresponding role and generate a token ability based on that check, also when the app goes offline or enters PWA mode.
I need to revoke any tokens abilities with:

  • create
  • delete
  • update I couldn't find in the docs any solutions to this problem, that is a real-world necessity. I can only leave the show and index abilities active.

My idea is like this:

Create a custom arg resolver for the mutation somehow bring the middleware and generate a token based on roles.

The verification will be made server-side than issue a token with abilities.

Bad idea: To store the role with the token.

So the real solution is this and I don't care how many people will argue because in reality security is very important and should be handled by experts in the field. That being said paseto is and will remain a real option if we can build it.

Why paseto read this post from a security expert that works with this every day.

https://developer.okta.com/blog/2019/10/17/a-thorough-introduction-to-paseto

So this is the answer.

Thanks for reading.

Discussion

pic
Editor guide