I have a problem with authentication in laravel.
I added jwt auth in my project, because i need an authentication with token, but to use it I have to change default's guard in file "auth.php"
'defaults' => [
'guard' => 'web',
'passwords' => 'users',
],
And here there is a problem, because if I change default's guard from 'web' to 'api' login route doesn't work anymore.
How can I solve this problem?
Thank you all.
To use both, change the api driver from 'token' to 'jwt' in auth guards. Leave defaults to as it is.
'guards' => [
'web' => [
'driver' => 'session',
'provider' => 'users',
],
'api' => [
'driver' => 'jwt',
'provider' => 'users',
],
],
Related
Laravel by default creates the model and the User table. The problem is that I create and use the table in the database, a model and a controller called Citizen.
And here comes my doubt, when we configure laravel-passport we must specify the guard, this is the Laravel example:
'guards' => [
'web' => [
'driver' => 'session',
'provider' => 'users',
],
'api' => [
'driver' => 'passport',
'provider' => 'users',
],
],
What is the provider? Taking into account this line:
'provider' => 'users',
Should I use 'provider' => 'citizen', instead of 'provider' => 'users'?
You can create custom provider. This has to be done in config/auth.php
There is one provider named users by default. You can create your own guard and providers as follows:
guards:
'guards' => [
'api' => [
'driver' => 'passport',
'provider' => 'users',
],
'citizens' => [
'driver' => 'passport',
'provider' => 'citizens',
],
],
In the providers section:
'providers' => [
'users' => [
'driver' => 'eloquent',
'model' => App\Models\User::class,
],
'citizens' => [
'driver' => 'eloquent',
'model' => App\Models\Citizen::class, //path to your model
],
],
Now you can use the middleware with custom guard by using auth:citizens as middleware.
For example, in route file,
Route::middleware('auth:citizens')->group(function(){
});
When I'm creating new users and assign them roles and permissions it works fine,
but when I assign role using protected route
Route::post('/excel/upload', [ExcelController::class,'upload'])->name('uploadExcel')->middleware('auth:sanctum');
i get and error:
Spatie\Permission\Exceptions\GuardDoesNotMatch
The given role or permission should use guard web instead of sanctum.
auth.php
'defaults' => [
'guard' => 'web',
'passwords' => 'users',
],
'guards' => [
'web' => [
'driver' => 'session',
'provider' => 'users',
],
],
the guard_name in the Spatie role and permissions tables set to web.
I understand that there's a problem with the guard_name configuration, I just can't
figure out how to solve it.
Any help would be appreciated
Insert the below code to auth/config.php file
'guards' => [
...
'sanctum' => [
'driver' => 'sanctum',
'provider' => 'users'
]
],
I've been browsing many questions related to using multi-auth, sanctum and SPA. I've also read the documentation multiple times. I'm confused about how this works.
Currently I have 2 route groups: web and api. Web group outputs different HTML templates and front-end content and so, and the API route generates content that is used to fill those templates.
I also have 2 different types of users, admins and clients. Each have access to certain routes of web and api.
I'm using 2 guards to protect the web routes, which works just fine:
'guards' => [
'admin' => [
'driver' => 'session',
'provider' => 'admins',
],
'client' => [
'driver' => 'session',
'provider' => 'clients',
],
],
And the providers:
'providers' => [
'admins' => [
'driver' => 'eloquent',
'model' => App\Models\Admin::class,
],
'clients' => [
'driver' => 'eloquent',
'model' => App\Models\Client::class,
],
],
Now I have trouble protecting the API routes. I've followed the instructions, set X-XSRF-TOKEN header, added sanctum to middlewares but I always get a 401 response. I'm not sure how to setup my guards. Should I add 2 more guards to the array? Such as:
'guards' => [
// Web
'admin' => [
'driver' => 'session',
'provider' => 'admins',
],
'client' => [
'driver' => 'session',
'provider' => 'clients',
],
// API
'sanctum_admin' => [
'driver' => 'sanctum',
'provider' => 'admins',
],
'sanctum_client' => [
'driver' => 'sanctum',
'provider' => 'clients',
],
],
And then use add the auth:sanctum_admin middleware to my API routes? Because this doesn't work either. Should I remove the original guards and only use sanctum? Is this even possible to have multiple guards for both web and API? Really confused about how this works. Any help is appreciated.
Configure the auth.php config file as below:
'guards' => [
'web' => [
'driver' => 'session',
'provider' => 'users',
],
'admin' => [
'driver' => 'session',
'provider' => 'admins',
],
'api' => [
'driver' => 'passport',
'provider' => 'users',
],
'admin-api' => [
'driver' => 'passport',
'provider' => 'admins',
],
],
'providers' => [
'users' => [
'driver' => 'eloquent',
'model' => App\Models\User::class,
],
'admins' => [
'driver' => 'eloquent',
'model' => App\Models\Admin::class,
],
],
I successfully generate access_token for both user and admin.
However, if I get the user's access_token to access the api admin route ('middleware' => 'auth:admin-api'), it succeeds.
The information received by request()->user() is the admin account with the same id as the user.
Same thing happens when I use admin token for user access and api.
Note:
This scenario only happens when admin and user have the same ID value.
What is going on, or did I do something wrong?
I guess the scenario that happened was as follows:
Step 1: user's access_token passes 'middleware' => 'auth:admin-api'.
Step 2: The oauth_access_tokens.user_id value is returned
Step 3: From user_id will return the corresponding admin.
So it happens only when user.id and admin.id are same.
Help me clarify this issue. Thanks
If i want to prevent this, what should I do?
Obviously users shouldn't access the admin account-only api
I am working for a project, that I need two auth ways.
I have users that will login with username and password, and users with TOKEN.
For now, I am using jwt-auth for users with login / pass
But I can't understand how can I seperate users with TOKEN login.
I have this code at config/auth.php
return [
'defaults' => [
'guard' => 'api',
'passwords' => 'users',
],
'guards' => [
'api' => [
'driver' => 'jwt',
'provider' => 'users',
],
],
'providers' => [
'users' => [
'driver' => 'eloquent',
'model' => App\Models\User::class
]
]
];
I am trying to use both authentications.
For example, with JWT I login as admin with username/password, get a TOKEN from JWT that expires on 1 hour, and I make requests with that token.
But I have customers running an API that having an standard 64 characters length token, without username/passord
You must create another auth guard for token auth:
'guards' => [
'api' => [
'driver' => 'jwt',
'provider' => 'users',
],
'api_token' => [
'driver' => 'XXX',
'provider' => 'users',
]
XXX - a driver for your token authorisation - maybe 'sanctum', maybe standard 'token' - what you use for "standard 64 characters length token"
Than, use middleware with multiple guards (or with one):
Route::get(...)->middleware('auth:api,api_token');