Remove Database Id From Generated Token

Asked 7/9, 2021 at 6:37 Answered 16/9 at 5:4

Currently I am building rest API using Laravel. For authentication, I am using the Sanctum package. Every time a user is logged in it generate a token that looks like this:

"token": "98|b45h97e17VVpugjO71wwURoicIqDQP2ejTkCWwoD"

But why Sanctum includes the database id with the token?

How to remove the database id from the token?

Region answered 7/9, 2021 at 6:37 Comment(2)

Any help will be appreciated! – Region 7/9, 2021 at 8:54

I would also like to learn how to do this. It doesn't serve my purposes to have the ID prepended to the token, but I don't want to mess up Sanctum's token verification by manually editing it after creation. – Amnesty 25/3, 2022 at 13:23

I just looked through the source history and found that the ID was introduced in a well-named commit called more performant tokens lookup, so that is the reason the ID is part of the token.

But if you look at the code loading/verifying the token there is a fallback at the beginning in case there is no ID. So you can simply remove it from the token, for example by overriding the findToken method.

Lymphatic answered 21/4, 2022 at 10:0 Comment(0)

try this,

Option 1:-

In Controller:-

$token = $user->createToken(''project_name')->plainTextToken;
$auth_token = explode('|', $token)[1];

Option 2:-

In postman Refer image:-

Lavender answered 7/9, 2021 at 11:3 Comment(1)

Option 1: how sanctum verify this token? since you modified the original token. – Region 7/9, 2021 at 11:36

im using laravel 10,

createToken() method in this path :

vendor\laravel\sanctum\src\HasApiTokens.php

concatenate ID + | + hashToken

you must modify return value of this method :

change this line

return new NewAccessToken($token, $token->getKey().'|'.$plainTextToken);

with this :

return new NewAccessToken($token, $plainTextToken);

this should solve the above issue.

actually, i did not directly edit this file i edited the user model where i was generating the token

Saharan answered 1/2 at 7:11 Comment(1)

Your answer could be improved with additional supporting information. Please edit to add further details, such as citations or documentation, so that others can confirm that your answer is correct. You can find more information on how to write good answers in the help center. – Dinner 3/2 at 20:23

To complement Radmehr Azari's answer. I overrode the createToken method from the HasApiTokens trait in my User model

use DateTimeInterface;
use Laravel\Sanctum\HasApiTokens;
use Laravel\Sanctum\NewAccessToken;

class User{
  use HasApiTokens;

  public function createToken(string $name, array $abilities = ['*'], DateTimeInterface $expiresAt = null)
    {
        $plainTextToken = $this->generateTokenString();            

        $token = $this->tokens()->create([
            'name' => $name,
            'token' => hash('sha256', $plainTextToken),
            'abilities' => $abilities,
            'expires_at' => $expiresAt,
        ]);
        
        //This is the line that we change from the original function
        //We basically removed the `id|` prefix from the token
        return new NewAccessToken($token, $plainTextToken);
    }
}

Westernize answered 16/9 at 5:4 Comment(2)

By removing the ID this way, you're breaking it. The findToken method needs the actual ID to find the token. Take a look at the findToken method - github.com/laravel/sanctum/blob/4.x/src/… – Reservation 19/9 at 14:33

This part of the findToken method that you shared the link makes the code work even without the id prefix. if (strpos($token, '|') === false) { return static::where('token', hash('sha256', $token))->first(); } – Westernize 22/9 at 6:15

Recommended topics

Hot tags