Laravel API-Auth-Guard不区分大小写？

Question

我正在使用Laravel制作API原型，并注意到在使用API的标准Auth-Guard时，API-Token不区分大小写。因此，像“cvc”和“cvc”这样的api_tokens被同等对待。

这是一种预期的行为吗？这在安全性方面是理想的吗？即使有60字节的字符串，你也不这么认为，或者你怎么想？有没有办法改变这一点呢？

谢谢你的想法！卡斯腾

Answer 1

情况不应该是这样的。Laravel尝试resolve the token in several ways first

 * Get the token for the current request.
 *
 * @return string
 */
public function getTokenForRequest()
{
    $token = $this->request->query($this->inputKey);
    if (empty($token)) {
        $token = $this->request->input($this->inputKey);
    }
    if (empty($token)) {
        $token = $this->request->bearerToken();
    }
    if (empty($token)) {
        $token = $this->request->getPassword();
    }
    return $token;
}

attempting to resolve an instance of the user时调用该方法的位置

/**
 * Get the currently authenticated user.
 *
 * @return \Illuminate\Contracts\Auth\Authenticatable|null
 */
public function user()
{
    // If we've already retrieved the user for the current request we can just
    // return it back immediately. We do not want to fetch the user data on
    // every call to this method because that would be tremendously slow.
    if (! is_null($this->user)) {
        return $this->user;
    }
    $user = null;
    $token = $this->getTokenForRequest();
    if (! empty($token)) {
        $user = $this->provider->retrieveByCredentials(
            [$this->storageKey => $token]
        );
    }
    return $this->user = $user;
}

本例中的provider是DatabaseUserProvider，它的方法retrieveByCredentials performs a strict case-sensitive check使用数据库工厂->where()方法，没有使用像这样的，您可以在这里看到：

public function retrieveByCredentials(array $credentials)
{
    // First we will add each credential element to the query as a where clause.
    // Then we can execute the query and, if we found a user, return it in a
    // generic "user" object that will be utilized by the Guard instances.
    $query = $this->conn->table($this->table);
    foreach ($credentials as $key => $value) {
        if (! Str::contains($key, 'password')) {
            $query->where($key, $value);
        }
    }
    // Now we are ready to execute the query to see if we have an user matching
    // the given credentials. If not, we will just return nulls and indicate
    // that there are no matching users for these given credential arrays.
    $user = $query->first();
    return $this->getGenericUser($user);
}

所以，你的情况不是典型的，很可能还有其他我们不了解的组件在起作用。