using shield's tokens wrong usage of $user->tokenCan() ??

[skeutmeier]

Hi,
I try to protect my API with Shield's token mechanism.

Generating tokens is straightforward. I see them being created in the DB.

In the API controller however, I think I may be doing something wrong. Maybe someoane can help me.
This is my Code:

$user = auth()->user();  
$tokens = $user->accessTokens();  

foreach($tokens as $token) {  
	var_dump($token);
}
if ($user->tokenCan('my-permission')) {
	echo "yes";
	die();
}
echo "no";

I can see all the tokens through the var_dump. Also I see that "my-permission" is set correctly.
But $user->tokenCan() always return false.

Am I doing something wrong?

Thank you

[datamweb]

You can use filter tokens to protect the routes(api or any...):
https://github.com/codeigniter4/shield/blob/develop/docs/guides/api_tokens.md#protecting-routes

[skeutmeier]

yes, I skipped that part besause I didn't get that to work properly and thaought the same can be done in the controller itself.

if I add:

public $filters = [
   'auth' => ['before' => ['admin/*']],
   'token' => ['before' => ['api/*']],
]; 

I get an error because there should also a alias be set. But which cass should I use for that?
At the moment I use the same as for auth.

 public $aliases = [
        'csrf'          => CSRF::class,
        'toolbar'       => DebugToolbar::class,
        'honeypot'      => Honeypot::class,
        'invalidchars'  => InvalidChars::class,
        'secureheaders' => SecureHeaders::class,
        'auth'			=> \App\Filters\Auth::class,
        'token'			=> \App\Filters\Auth::class,
    ];

Is that correct? I always get redirected to homepage if trying to access /api/something

[datamweb]

can be done in the controller itself

Yes you can, but what is the need for a custom implementation when this is already considered. At least in my opinion, there is no need.

I get an error because there should also a alias

This is because you have set the filter names incorrectly(auth,token).

session and tokens are valid.

Have you created a custom filter(auth,token)? If not, you should use session and tokens.

[skeutmeier]

Oh, thank you.
The missing "s" was indeed the problem.
It is working now.

At least, in the sense that CI can differentiate between a valid token, and a not valid token.
But the $user->tokenCan() function still always returns false.

Not important in my use case, but I would like to know why.

If the token is created with:
$user->generateAccessToken('my-permission')->raw_token;

shouldn't $user->tokenCan('my-permission') return true?

thank you for your patience with me

[kenjis]

See https://codeigniter4.github.io/shield/guides/api_tokens/#token-permissions
The usage is:

$user->generateAccessToken('token-name', ['users-read'])->raw_token;

'my-permission' is a token name in your case.

[skeutmeier]

oh, thank you.

Stupid me.
sorry.

Thanks for the help