Use our own token instead of Laravel's

Laravel’s remember_token is tied to the session/cookies, which we don’t
need as the API is stateless. It makes much more sense to use our own
token mechanism.

framework/core/src/Flarum/Api/Actions/Auth/Login.php

@@ -21,14 +21,16 @@ class Login extends Base
         $field = filter_var($identification, FILTER_VALIDATE_EMAIL) ? 'email' : 'username';
         $credentials = [$field => $identification, 'password' => $password];
 
-        if (! Auth::attempt($credentials, true)) {
+        if (! Auth::validate($credentials)) {
             return $this->respondWithError('invalidLogin', 401);
         }
 
-        $user = Auth::user();
+        $user = Auth::getLastAttempted();
+        $user->token = str_random(60);
+        $user->save();
 
         return Response::json([
-            'token' => $user->getRememberToken(),
+            'token' => $user->token,
             'userId' => $user->id
         ]);
     }

framework/core/src/Flarum/Api/Serializers/UserSerializer.php

@@ -27,8 +27,8 @@ class UserSerializer extends UserBasicSerializer
         $attributes = parent::attributes($user);
 
         $attributes += [
-            'joinTime'         => $user->join_time ? $user->join_time->toRFC3339String() : '',
+            'joinTime'         => $user->join_time ? $user->join_time->toRFC3339String() : null,
-            'lastSeenTime'     => $user->last_seen_time ? $user->last_seen_time->toRFC3339String() : '',
+            'lastSeenTime'     => $user->last_seen_time ? $user->last_seen_time->toRFC3339String() : null,
             'discussionsCount' => (int) $user->discussions_count,
             'postsCount'       => (int) $user->posts_count,
             'canEdit'          => $user->permission('edit'),

framework/core/src/Flarum/Core/Users/User.php

@@ -210,4 +210,9 @@ class User extends Entity implements UserInterface, RemindableInterface
     {
         return $this->hasMany('Flarum\Core\Activity\Activity');
     }
+
+    public function setRememberToken($value)
+    {
+        return;
+    }
 }

framework/core/src/migrations/2014_01_14_231404_create_users_table.php

@@ -18,7 +18,7 @@ class CreateUsersTable extends Migration {
 			$table->string('username');
 			$table->string('email');
 			$table->string('password');
-			$table->rememberToken();
+			$table->string('token');
 			$table->dateTime('join_time');
 			$table->string('time_zone');
 			$table->dateTime('last_seen_time')->nullable();

framework/core/src/routes.api.php

@@ -15,7 +15,9 @@ Route::filter('attemptLogin', function($route, $request) {
     $prefix = 'Token ';
     if (starts_with($request->headers->get('authorization'), $prefix)) {
         $token = substr($request->headers->get('authorization'), strlen($prefix));
-        Auth::once(['remember_token' => $token]);
+        if ($user = Flarum\Core\Users\User::where('token', $token)->first()) {
+            Auth::setUser($user);
+        }
     }
 });
 

framework/core/tests/api/AuthCest.php

@@ -24,7 +24,7 @@ class AuthCest
         $userId = $I->grabDataFromJsonResponse('userId');
         $I->assertNotEmpty($token);
         
-        $loggedIn = User::where('remember_token', $token)->where('id', $userId)->first();
+        $loggedIn = User::where('token', $token)->where('id', $userId)->first();
         $I->assertEquals($user->id, $loggedIn->id);
     }
 
@@ -45,7 +45,7 @@ class AuthCest
         $userId = $I->grabDataFromJsonResponse('userId');
         $I->assertNotEmpty($token);
 
-        $loggedIn = User::where('remember_token', $token)->where('id', $userId)->first();
+        $loggedIn = User::where('token', $token)->where('id', $userId)->first();
         $I->assertEquals($user->id, $loggedIn->id);
     }