Use of Access Tokens for API calls

[rlefever]

First let me say thank you to you and all who have assisted for your time and effort on this project. It is better that the custom inventions of the wheel that I previously used.

In trying to implement access token authentication for APIs I have some questions which I hope I can get help.

1. How to authenticate a raw_token sent as Bearer when the examples seem to show token retrieval methods called on a $user.

// Retrieve a single token by plain text token
$token = $user->getAccessToken($rawToken);

Seems like that would mean the User would have to send credentials each time before the token lookup. If that is the case, what is the use of the access token? I have extended the UserModel but I do not see the hasAccessToken trait being used and therefor do not understand how to call it's methods. Please explain the process and code flow in more detail.

2. The docs state that if you lose the raw_token it cannot be retrieved and the token would have to be revoked and another issued. Problem comes in that the raw_token string is required as input to revokeAccessToken(). Therefore, If you don't have the raw_token, you cannot revoke the acccess token. Am I understanding this correctly? It seems the method simply deletes the record so I used used delete($id) instead.

Thanks again,

[kenjis]

How to authenticate a raw_token sent as Bearer

See TokenAuth filter:

shield/src/Filters/TokenAuth.php

Line 35 in b7b6720

public function before(RequestInterface $request, $arguments = null)

Seems like that would mean the User would have to send credentials each time before the token lookup.

The access token is the credential.

The docs state that if you lose the raw_token it cannot be retrieved and the token would have to be revoked and another issued.

Where is the docs?

[rlefever]

Thanks for the quick reply.

Is that filter in place or do I need to update the Config\Filters? I did not see it so I was trying to create my own.

Authentication -> Generating Access Token states 'The plain text version should be displayed to the user immediately so they can copy it for their use. If a user loses it, they cannot see the raw version anymore, but they can generate a new token to use.'

[kenjis]

If you want to use the filter, you must set in your Config\Filters.
See

• https://github.com/codeigniter4/shield/blob/develop/docs/install.md#controller-filters
• https://codeigniter4.github.io/CodeIgniter4/incoming/filters.html#configuring-filters

[kenjis]

Problem comes in that the raw_token string is required as input to revokeAccessToken(). Therefore, If you don't have the raw_token, you cannot revoke the acccess token. Am I understanding this correctly?

It seems you are confusing a user's view and a developer's view.
If a user lost the token, yes, they don't know it.
But a developer can get any tokens from the database.

By the way what do you want to do?

[rlefever]

I was creating the site admin and user interface. So from an interface point of view where you don't have the raw token to work with I could not revoke. Since the token cannot be updated, I wanted the user to be able to create a new token with different scope and revoke the old token. I also wanted an admin to be able to revoke or even script revoking when a subscriber cancels or doesn't pay.

Would you be so kind as to explain what the force_reset and status/status_message fields are used for?

Given the fields for login as username or email, can either be used or is it just the first in the list?

Also, when is the expires field populated? From the docs it sounds like it would be constantly updated to be a YEAR (used in docs) from the last_used_at date.

[kenjis]

Would you be so kind as to explain what the force_reset and status/status_message fields are used for?

It seems not used now.

[kenjis]

So from an interface point of view where you don't have the raw token to work with I could not revoke.

You can get all tokens with $user->accessTokens():
https://github.com/codeigniter4/shield/blob/develop/docs/authentication.md#retrieving-access-tokens

The raw token should not be displayed, but we (dev) can know it.
So you can create the interface to revoke the specific token without displaying the raw token.