I'm a newbie in Laravel. Can someone explain what is the difference from web, auth, and guest middleware in Laravel 5.8?
auth middleware allows only for authenticated users to access the routes and your logic behind it. For example, only auth users can create questions and give answers.
guest middleware can only be accessed by unauthenticated users. For example, login and register page.
And web middleware is a group of middleware that you commonly use in your application. Such as cookie encryption, csrf token verification, and etc.
Related
I am developing a store.
For some routes that are public, I need to get the user's information if the user has entered the site. I use Laravel Passport. I use Middleware for private routes, but for this route, I need people to access it without entering the site.
I am using Sanctum for SPA authentication. In several examples I have seen, people are creating auth routes (login, logout, register) in their web.php routes file as opposed to the api.php routes file. Is there a reason for this? In the documentation I do see a mention here...
You may be wondering why we suggest that you authenticate the routes
within your application's routes/web.php file using the sanctum guard.
Remember, Sanctum will first attempt to authenticate incoming requests
using Laravel's typical session authentication cookie. If that cookie
is not present then Sanctum will attempt to authenticate the request
using a token in the request's Authorization header. In addition,
authenticating all requests using Sanctum ensures that we may always
call the tokenCan method on the currently authenticated user instance
...but that is for API Token Authentication and not directly under SPA Authentication.
Is there any reason my auth routes would be better handled in web.php?
Well, in a typical Laravel application, your API routes are stateless and do not persist a session; specifically they do not have the start session middleware.
As such, cookie based authentication will not work if you put these routes in your API file.
Having these routes in your web file allows these specific routes to be wrapped in a session, allowing cookie based authentication and then falls back to using the stateless Authorization header if required.
I forget the exact words, but Taylor is quite a fan of SPAs using cookie based authentication when they're the same domain over API tokens.
But this should explain the reasoning. You are, of course, welcome to change this if you like.
I am newbie with laravel.
I understand that in order to protect routes, you have to first check if a user is authenticated and a session is made. thus, we apply auth middleware in the web routes.
However, I am trying to implement laravel passport and now I am not able to proceed to my routes anymore since I have been authenticated using the passport.
My question is that is it possible to secure the web routes with passport token instead of laravel session? and if so, how one should do it?
Thanks, sorry for english, not native speaker.
Laravel passport is for API routes not for web routes you can use laravel session for web
for more details read it's documentation
https://laravel.com/docs/8.x/passport
I have a existing admin panel in a laravel based web application. I made few part of this admin panel in vue.js single page application. I don't wanted to use token based authentication for this spa part of this application. How can I give api authentication from my existing session login system.
Change the auth:api middleware to just auth in ./routes/api.php
And in ./app/Http/Kernel.php \Illuminate\Session\Middleware\StartSession::class, to the middlewareGroups array under api
Inside my API routes, Auth::user() does not return anything.
I've read that this is because API's are stateless. And I should use Passport.
Could anyone explain why this is and if there is any way to get the Auth user in the API without using passport (or similar)?
The API routes use the auth:api guard, and do not use web middleware, which means there are no sessions attached to it. Passport is there to bridge the gap between a user and the API by using token based authentication. If you want your API to use sessions, simply give it auth instead of auth:api middleware
You can use jwt-auth which uses token based authentication. It provides an 'jwt.auth' middleware through which you can access Auth::user() without session over an api.