Laravel + tappleby auth token package - Separate controllers?

[tjmahaffey]

I'm building a Laravel app which also includes an API. I'd like to extend the default Laravel auth scheme to allow api access via tokens. Same auth structure, but two vehicles: api users validated via tokens, web app users validated via Laravel's default auth scheme.

I have a SessionController which I use to login and log out for web app users:

<?php

class SessionController extends \BaseController {

public function create() {

    if (Auth::check()) {
        return Redirect::to('/post/dashboard');
    }
    return View::make('sessions.create');

}

public function store() {

    if ( Auth::attempt(Input::only('username', 'password')) ) {
        return Redirect::to('/post/dashboard');
    } else {

        return Redirect::to('/login')->with('error', 'Failed Auth.');
    }

}

public function destroy() {

    Auth::logout();
    return Redirect::route('login');
}

}

Is it preferred that the api users go through a wholly separate controller for authentication in order to generate and validate tokens? Or can I somehow add the tappleby auth token stuff inside my existing SessionsController and have it serve both purposes?
I'm interested in best practices here.

[anuragrath]

Any reply on this would help? Still its not clear on how both can co-exist?

@tjmahaffey Did you get anything in this regard?

Thanks,

[tjmahaffey]

I haven't come to any new information on this. Right now, I'm planning to create a separate controller for API authentication, though I don't think that's the right way to do it.

[tappleby]

Do you have more details on how API users are using your app vs "web users". Are they the same "session"?

If so you can generate a token using:

if(Auth::check()) {
  $authToken = AuthToken::create(Auth::user());
  $publicToken = AuthToken::publicToken($authToken);
}

When this library was originally designed it was mainly for authentication via Ajax using same "user session". Most users are now using the library for authentication on mobile apps. I hope to make the next version of this package better for that use cause, I had planned on this release a few months ago but it has unfortunately been delayed.

[anuragrath]

@tappleby Yes, we are also using along with mobile apps.
If you can share some ideas, around how you plan to handle the session & Auth facade for the mobile app.

[tappleby]

To simplify things I would recommend a separate controller for tokens, you can use the default controller included in the package for basic use: https://github.com/tappleby/laravel-auth-token#the-controller

The alternative would included updating the session controller to check if the request accepts JSON if(Request::wantsJson() || Request::ajax()) and return a token instead of a redirect (same for errors too).