Alternate to Session Storage in Laravel Token Based API

Question

I'm building an Electron app that connects to a Laravel 8 App (with Jetstream using Inertia) and the API.

I'm porting over the existing Inertia Jetstream Vue components to replicate the same functionality that appears in the actual web app.

When using the password confirm functionality Laravel uses session storage to store the time the password was confirmed, and then later again to check the status of the confirmed password.

When using token authentication, there is no session.

I can create new controllers to handle this no problem, but how can I substitute the calls to $request->session() ?

The code to store the password confirmation looks like this:

public function store(Request $request)
{
    $confirmed = app(ConfirmPassword::class)(
        $this->guard, $request->user(), $request->input('password')
    );

    if ($confirmed) {
       // here is the problem ... no session with tokens 
       $request->session()->put('auth.password_confirmed_at', time());
    }

    return $confirmed
                ? app(PasswordConfirmedResponse::class)
                : app(FailedPasswordConfirmationResponse::class);
}

What's the best way to store this so it can be retrieved on subsequent calls?

Answer 1

I am not totally certain because it is used on mobile, which I have no experience with. However in browser land what you could do is to use cookies and set the token to httpOnly. I have a small example in nodeJs from one of my hobby projects:

const token = jwt.sign({ _id: currentUser._id }, process.env.JWT_SECRET, { expiresIn: '7d' });
currentUser.password = undefined;

res.cookie('token', token, {
    httpOnly: true,
});

By setting the cookie to HttpOnly a user cannot fiddle with it. since it's mobile if it supports cookies this is even less a vulnarability issue. Rodney