An HTTP request is a stateless protocol. In a stateless request no session information is received by the server. To authenticate a user you need to clearly refer who the user is on every request. This can be done by sending a token that has user information or by using a session ID. It is not a nice option to send a token since you need to know where on the client side to store the token. Since the sessions are stored on the server side it is more secure. Laravel Airlock is a lightweight authentication system to make sure the requests to your API have valid token or authentication session. First of all we need to install Airlock. Open the terminal in your project directory and run the following commands.

composer require laravel/airlock

php artisan vendor:publish

php artisan migrate

Use HasApiToken trait in the User model as shown below.

use Laravel\Airlock\HasApiTokens;
// Other imports omitted.
class User extends Authenticatable
{
    use HasApiTokens,Notifiable;
    // Class body omitted.
}

Now create the routes and add these routes given below to routes/api.php.

Route::prefix(‘airlock’)->namespace(‘API’)->group(function()
{
   
Route::post(‘register’, ‘AuthController@register’);
    Route::post(‘token’,‘AuthController@token’);
});

To login the user will use these routes to register an account and request their token. To implement these routes in AuthController run the following commands.

php artisan make:controller API\AuthController

Now create a register function as given below and add it in app/Http/Controllers/API/AuthController.php.

public function register(Request $request)
{ 
    $validator = Validator::make($request->all(), [
        ‘name’ =>[‘required’, ‘string’, ‘max:255’],
        ‘email’ =>[‘required’, ‘string’, ‘email’, ‘max:255’, ‘unique:users’],
        ‘password’=> [‘required’, ‘string’, ‘min:8’],
        ‘device_name’=> [‘required’, ‘string’]
    ]); 
    // 1
    if
($validator->fails()) {
        return response()->json([‘error’ => $validator->errors()], 422);
    }
    // 2
    $input = $request->all();
    $input[‘password’] = bcrypt($input[‘password’]);
    $user = User::create($input);
    // 3
    $token = $user->createToken($request->device_name)->plainTextToken;
    // 4
    return response()->json([‘token’ => $token], 200);
}

To use the same account when the user is using the app on another device we need to create a function .

public function token(Request $request)
{
    $validator = Validator::make($request->all(), [
        ‘email’ =>[‘required’, ‘string’, ‘email’, ‘max:255’],
        ‘password’=> [‘required’, ‘string’, ‘min:8’],
        ‘device_name’ => [‘required’, ‘string’]
    ]);
    if($validator->fails()) {
        return response()->json([‘error’ => $validator->errors()], 422);
    }
    // 1
 
    $user = User::where(‘email’, $request->email)->first();
    // 2
 
    if (!$user || !Hash::check($request->password, $user->password) {
        return response()->json([‘error’ => ‘The provided credentials are incorrect.’],422);
    ƒ}
    // 3
 
    return response()->json([‘token’ => $user->createToken($request->device_name)-
  >plainTextToken]);
    // 4

}