This plugin provides a JSON Web Tokens authentication mechanism for OctoberCMS integrated with RainLab.User. It's essential for your web application built with Angular, Vue.js, React or other modern Javascript frameworks.
- RainLab.User plugin
- RLuders.CORS plugin (optional, but recommended)
Yes, you can install it from the repository (but I'll not provide a documentation for that - in this case I'll assume that you know what you are doing). I strongly recommend that you install it from product page inside the OctoberCMS Marketplace.
You must set a secret token for your application. Do do it, on October's Backend access: Settings > Users > JWTAuth
Here's the list of available endpoints for this plugin.
If you are using Postman, you can click here to import the collection with all the calls that you need to test it.
POST /api/auth/login
Route name
api.auth.login
| Name | Type | Required | Description |
|---|---|---|---|
| login | string | Yes | Account login attribute |
| password | string | Yes | Account password |
The field
loginvalue can be the accountusername. You can select it onRainLab.Userconfiguration what field should be used for login.
SUCCESS
Code: 200
{
token: (string),
user: (object)
}ERROR
Code: 401
{
error: (invalid_credentials|could_not_create_token|user_inactive|user_is_banned)
}POST /api/auth/register
Route name
api.auth.register
| Name | Type | Required | Description |
|---|---|---|---|
| username | string | No | Account username |
| string | Yes | Account email | |
| password | string | Yes | Account password |
| password_confirmation | string | No | Confirm the new password |
The field
usernamecan be required. It depends of yourRainLab.Userconfiguration.
SUCCESS
Code: 201
[]ERROR
Code: 401
{
error: (object|registration_disabled)
}rainlab.user.beforeRegisterrainlab.user.register
POST /api/auth/account-activation
Route name
api.auth.account-activation
| Name | Type | Required | Description |
|---|---|---|---|
| activation_code | string | Yes | Account activation code |
SUCCESS
Code: 200
[]ERROR
Code: 422
{
error: (invalid_activation_code|invalid_user|user_not_found)
}POST /api/auth/forgot-password
Route name
api.auth.forgot-password
| Name | Type | Required | Description |
|---|---|---|---|
| string | Yes | Account email |
SUCCESS
Code: 200
[]ERROR
Code: 404
{
error: (user_not_found)
}POST /api/auth/reset-password
Route name
api.auth.reset-password
| Name | Type | Required | Description |
|---|---|---|---|
| reset_password_code | string | Yes | Reset password code |
| password | string | Yes | Account new password |
| password_confirmation | string | No | Confirm the new password |
SUCCESS
Code: 200
[]ERROR
Code: 422
{
error: (invalid_reset_password_code|invalid_user|invalid_reset_password_code)
}POST /api/auth/refresh-token
Route name
auth.api.refresh-token
| Name | Type | Required | Description |
|---|---|---|---|
| token | string | Yes | Valid user JWToken |
SUCCESS
Code: 200
{
token: (string)
}ERROR
Code: 403
{
error: (could_not_refresh_token|given_token_was_blacklisted)
}GET /api/auth/me
Middleware
jwt.auth
Route name
api.auth.me
| Name | Type | Required | Description |
|---|---|---|---|
| token | string | Yes | Valid token |
SUCCESS
Code: 200
{
user: (object)
}ERROR
Code: 404
{
error: (user_not_found)
}Beside the fact that I'm always trying to solve the possible issues, bad things could happen. Here, an list of possible issues and how to fix it.
In order to use the authorization Bearer Token you must add the following code to your .httaccess
RewriteEngine On
RewriteCond %{HTTP:Authorization} ^(.*)
RewriteRule .* - [e=HTTP_AUTHORIZATION:%1]
GPLv3