安裝 tymon/jwt-auth 包；2. 發(fā)布 JWT 配置文件；3. 生成 JWT 密鑰并配置 .env；4. 用戶模型實(shí)現(xiàn) JWTSubject 接口；5. 在 auth 配置中設(shè)置 JWT guard；6. 創(chuàng)建包含登錄、登出、刷新和獲取用戶信息的控制器；7. 在 api.php 中定義路由并應(yīng)用 auth:api 中間件；8. 通過 Authorization: Bearer <token> 請(qǐng)求受保護(hù)路由，完成認(rèn)證流程，整個(gè)過程需確保 JWT_SECRET 安全且輸入驗(yàn)證嚴(yán)格，最終實(shí)現(xiàn) Laravel 中基于 JWT 的無狀態(tài) API 認(rèn)證。

Implementing JWT (JSON Web Token) authentication in Laravel is a common requirement for building stateless APIs. Here's a clear, step-by-step guide using the popular tymon/jwt-auth package.

1. Install the JWT Package

First, install the tymon/jwt-auth package via Composer:

composer require tymon/jwt-auth

Note: For Laravel 10/9, make sure you're using a compatible version. As of recent versions, use ^2.1.

2. Publish the Configuration File

Publish the JWT configuration file using Artisan:

php artisan vendor:publish --provider="Tymon\JWTAuth\Providers\LaravelServiceProvider"

This creates a config/jwt.php file where you can customize token behavior (TTL, algorithm, etc.).

3. Generate the Secret Key

Generate a secret key for signing tokens:

php artisan jwt:secret

This command adds a JWT_SECRET entry to your .env file — crucial for securing your tokens.

Example in .env:

JWT_SECRET=your_generated_secret_key_here

4. Configure the User Model

Ensure your User model (usually App\Models\User) implements the JWTSubject contract:

<?php

namespace App\Models;

use Illuminate\Foundation\Auth\User as Authenticatable;
use Tymon\JWTAuth\Contracts\JWTSubject;

class User extends Authenticatable implements JWTSubject
{
    // ...

    /**
     * Get the identifier that will be stored in the subject claim of the JWT.
     */
    public function getJWTIdentifier()
    {
        return $this->getKey();
    }

    /**
     * Return a key-value array, containing any custom claims to be added to the JWT.
     */
    public function getJWTCustomClaims()
    {
        return [];
    }
}

5. Set Up Authentication Guards

Update config/auth.php to add a JWT guard:

'guards' => [
    'web' => [
        'driver' => 'session',
        'provider' => 'users',
    ],

    'api' => [
        'driver' => 'jwt',  // Use JWT driver for API
        'provider' => 'users',
    ],
],

Also, ensure your api routes use the api guard (this is often default in Laravel).

6. Create Authentication Controllers

Generate a controller to handle login, logout, refresh, and user details:

php artisan make:controller AuthController

Add methods like:

namespace App\Http\Controllers;

use App\Models\User;
use Illuminate\Http\Request;
use Illuminate\Support\Facades\Hash;
use Tymon\JWTAuth\Exceptions\JWTException;
use JWTAuth;

class AuthController extends Controller
{
    public function login(Request $request)
    {
        $credentials = $request->only('email', 'password');

        try {
            if (! $token = JWTAuth::attempt($credentials)) {
                return response()->json(['error' => 'Invalid credentials'], 401);
            }
        } catch (JWTException $e) {
            return response()->json(['error' => 'Could not create token'], 500);
        }

        return response()->json(compact('token'));
    }

    public function getAuthenticatedUser()
    {
        try {
            if (! $user = JWTAuth::parseToken()->authenticate()) {
                return response()->json(['user_not_found'], 404);
            }
        } catch (JWTException $e) {
            return response()->json(['error' => $e->getMessage()], $e->getStatusCode());
        }

        return response()->json(compact('user'));
    }

    public function logout()
    {
        JWTAuth::invalidate(JWTAuth::getToken());

        return response()->json(['message' => 'Successfully logged out']);
    }

    public function refresh()
    {
        $token = JWTAuth::refresh();

        return response()->json(['token' => $token]);
    }
}

7. Define API Routes

In routes/api.php:

use App\Http\Controllers\AuthController;

Route::post('login', [AuthController::class, 'login']);
Route::middleware('auth:api')->group(function () {
    Route::get('me', [AuthController::class, 'getAuthenticatedUser']);
    Route::post('logout', [AuthController::class, 'logout']);
    Route::post('refresh', [AuthController::class, 'refresh']);
});

Now, protected routes require a valid JWT in the Authorization header:

Authorization: Bearer <your-token-here>

8. Test the Flow

1. Login: POST /api/login with email and password → get token.
2. Access Profile: GET /api/me with Authorization: Bearer <token> → get user.
3. Refresh Token: POST /api/refresh → get new token.
4. Logout: POST /api/logout → invalidate current token.

Optional: Customize Token Expiry

Edit config/jwt.php:

'ttl' => 60, // Token valid for 60 minutes
'refresh_ttl' => 20160, // Refreshable within 14 days

Notes & Security Tips

• Always use HTTPS in production.
• Store tokens securely on the client (e.g., HttpOnly cookies or secure storage).
• Handle token expiration and refresh logic on the frontend.
• Consider rate-limiting login attempts.

Basically, that’s it. JWT auth in Laravel with tymon/jwt-auth is straightforward once the setup steps are followed. Just remember to keep your JWT_SECRET safe and validate input rigorously.

以上是如何在Laravel中實(shí)施JWT身份驗(yàn)證？的詳細(xì)內(nèi)容。更多信息請(qǐng)關(guān)注PHP中文網(wǎng)其他相關(guān)文章！