Laravel Passport Refresh Token Storage

Question

I'm using Passport password grant tokens with a Svelte front end. I can create and access the tokens just fine, as well as use the refresh tokens. My issue is storing the refresh tokens safely. Ideally Laravel would just return the refresh token as a cookie, and then accept that cookie on the /oauth/token route.

I could even create the cookie client side, but would still have to figure out how to make Laravel parse it. I'm guessing there's no easy way to make laravel send a cookie, or accept a cookie of the refresh token?

If not, how should I be storing the refresh token? Currently just storing it in a readable cookie, but that makes it bad for attacks. Would like something to persist refreshes, hence the cookie. Any advice would be great!

Answer 1

After much noodling, I found a solution. Using two middlewares I attach a cookie and read the cookie:

Attach Cookie Middleware:

public function handle($request, Closure $next)
{
    $response = $next($request);
    if (request()->is("oauth/token")) {
        $json = json_decode($response->getContent(), false);
        $token = $json->refresh_token;
        if ($token) {
            return ($response)->cookie('refresh_token', $token, 15);
        }}
return $response;}

Read Cookie Middleware:

 public function handle($request, Closure $next)
{
    if (request()->is("oauth/token")) {
        if ($request->hasCookie('refresh_token')) {
            $token = $request->cookie('refresh_token');
            $request->request->add(['refresh_token' => $token]);
        }}
    return $next($request);}

If you have any ideas on optimizing, especially the decode json bit in the Attach Cookie middleware, that would be great!

It also took a while to find out how to just apply these middleware to Passport Routes (since they don't count in web). Turns out you can just make your own group, and pass it into the Passport routes in your AuthServiceProvider:

   Passport::routes(null, ['middleware' => 'passport']);