This plugin provides a JSON Web Tokens authentication mechanism for OctoberCMS integrated with RainLab.User. It's essential for your web application built with Angular, Vue.js, React or other modern Javascript frameworks.
- RainLab.User plugin
- RLuders.CORS plugin (optional, but recommended)
Yes, you can install it from the repository (but I'll not provide a documentation for that - in this case I'll assume that you know what you are doing). I strongly recommend that you install it from product page inside the OctoberCMS Marketplace.
You must set a secret token for your application. Do do it, on October's Backend access: Settings > Users > JWTAuth
Here's the list of available endpoints for this plugin.
If you are using Postman, you can click here to import the collection with all the calls that you need to test it.
POST /api/auth/login
Route name
api.auth.login
Name | Type | Required | Description |
---|---|---|---|
login | string | Yes | Account login attribute |
password | string | Yes | Account password |
The field
login
value can be the accountusername
. You can select it onRainLab.User
configuration what field should be used for login.
SUCCESS
Code: 200
{
"token": string,
"user": object
}
ERROR
Code: 401
{
"error":
invalid_credentials |
could_not_create_token |
user_inactive |
user_is_banned
}
POST /api/auth/register
Route name
api.auth.register
Name | Type | Required | Description |
---|---|---|---|
username | string | No | Account username |
string | Yes | Account email | |
password | string | Yes | Account password |
password_confirmation | string | No | Confirm the new password |
The field
username
can be required. It depends of yourRainLab.User
configuration.
SUCCESS
Code: 201
[]
ERROR
Code: 401
{
"error": object | registration_disabled
}
rainlab.user.beforeRegister
rainlab.user.register
POST /api/auth/account-activation
Route name
api.auth.account-activation
Name | Type | Required | Description |
---|---|---|---|
activation_code | string | Yes | Account activation code |
SUCCESS
Code: 200
[]
ERROR
Code: 422
{
"error": invalid_activation_code | invalid_user | user_not_found
}
POST /api/auth/forgot-password
Route name
api.auth.forgot-password
Name | Type | Required | Description |
---|---|---|---|
string | Yes | Account email |
SUCCESS
Code: 200
[]
ERROR
Code: 404
{
"error": user_not_found
}
POST /api/auth/reset-password
Route name
api.auth.reset-password
Name | Type | Required | Description |
---|---|---|---|
reset_password_code | string | Yes | Reset password code |
password | string | Yes | Account new password |
password_confirmation | string | No | Confirm the new password |
SUCCESS
Code: 200
[]
ERROR
Code: 422
{
"error":
invalid_reset_password_code | invalid_user | invalid_reset_password_code
}
POST /api/auth/refresh-token
Route name
auth.api.refresh-token
Name | Type | Required | Description |
---|---|---|---|
token | string | Yes | Valid user JWToken |
SUCCESS
Code: 200
{
"token": string
}
ERROR
Code: 403
{
"error": could_not_refresh_token | given_token_was_blacklisted
}
GET /api/auth/me
Middleware
jwt.auth
Route name
api.auth.me
Name | Type | Required | Description |
---|---|---|---|
token | string | Yes | Valid token |
SUCCESS
Code: 200
{
"user": object
}
ERROR
Code: 404
{
"error": user_not_found
}
Beside the fact that I'm always trying to solve the possible issues, bad things could happen. Here, an list of possible issues and how to fix it.
In order to use the authorization Bearer Token you must add the following code to your .httaccess
RewriteEngine On
RewriteCond %{HTTP:Authorization} ^(.*)
RewriteRule .* - [e=HTTP_AUTHORIZATION:%1]
GPLv3