Laravel route in multiple middelwares - laravel

I want to have the same route within the auth:api middleware, and also out of it.
Right now, if I include it in both, only the one out of the auth:api is taken into consideration, even if the user is logged in.
Is there a way that if the user is logged in it goes to auth:api and if not it goes out of any middleware?
The reason to do this is that if the user is logged in, I want to access user information, and for that it needs to go through the auth:api.

As long as you're including the token in the request, you will be able to get access to the current User.
Out-of-the-box, Laravel will set the default guard to be web. When you place routes under the auth middleware it will set the default guard to be whatever is passed to the middleware i.e. when you have auth:api it will set the default guard to be api for that request.
If you want to be able to access the User without it being under the auth:api middleware, you will simply need to be explicit with what guard should be used e.g.
auth('api')->user(); // or Auth::guard('api')->user();
The same applies for check():
auth('api')->check(); // or Auth::guard('api')->check();
or if you're using the Request object:
$request->user('api'); // or request()->user('api');

It 's not possible to have multiple same routes in your application and work independently. Laravel will match the first one that it find in your routes map.
Create one route and check for authentication in your controller.
if (Auth::check()) {
// The user is logged in...
}

Related

Is it safe to delete the default route in api.php in Laravel 8?

I installed Laravel 8 and found the following route in routes/api.php.
Route::middleware('auth:sanctum')->get('/user', function (Request $request) {
return $request->user();
});
I will create my own APIs which accept post and return json.
Should I remove the default sanctum route?
Is it safe to delete it? Or is it dangerous if I don't delete it?
I think it is dangerous if someone accesses /api/user. I don't know what it is.
I think it is dangerous if someone accesses /api/user. I don't know
what it is.
Yes it is good to remove this example route. On the other hand. Only authenticated User can see the userlist. If you are the only auth user in your application it not so much important if you forget to remove this route.
You can safely delete it. They just included it as an example or not to present you with an empty routes/api.php (not sure which).
Edit: Accessing /user will show the user associated with the bearer token. Sanctum's tokens aren't dependent on the /user route however.
Sacntum is cookie-based session authentication service. This is just an example route that will return the user data if he is logged-in. You can remove it safely without any issues.
It is completely safe to use as well as the user will only be able to access this route if he is already logged in and will only get his user information back not of all the users.

Laravel - Auth optional?

I have some endpoints in REST API that use Auth::id() as optional field. I mean action may be called both by guest and logged in user. Now, if I put route outside auth:api middleware it works but Auth::id() is returning null even if bearer header was sent. When I move routing to auth:api it works as intended for logged in user but obviously is not accessible for guests.
As a workaround I can create 2 similar endpoints (one for guests, one for logged users) but duplicating endpoints looks wrong :/

How to change redirect route for unverified user in laravel?

I have multiple login user,admin, and client. Authentication is working fine for all users. But I have problem to redirect them to different route when their login session ends, or if they try to access pages without logging in. All of them is redirected to login route.
I know that redirect route is configured in Middleware/Authenticate.php. But I don't know how to modify it to work as I wanted.
<?php
namespace App\Http\Middleware;
use Illuminate\Auth\Middleware\Authenticate as Middleware;
class Authenticate extends Middleware
{
protected function redirectTo($request)
{
if ($this_is_an_admin){ // How to manage this?
return route('admin/login');
}
elseif ($this_is_a_client){ // How to manage this?
return route('client/login');
}
else {
return route('login');
}
}
}
So how can I assign different route for each user, for example user goes to user/login, admin goes to admin/login and client goes to client/login.
When a user is signed out, you don't know who is the current user in the session. Therefore, you cannot switch to different routes based on the current user.
One possible solution is storing the last user role (admins, client or user) in the cookie and use that value in your middleware. Of course, you have to set the cookie everytime users sign in successfully or via another middleware that adds the cookie after every authenticated response.
You also should have links to allow users to switch between different sign-in forms for different roles in your UI.

Check if user is authenticated in laravel API route

So I know API routes are not supposed to rely on sessions authentication, but my idea was to create some API routes, that could be used if needs be by third-party with proper authentication, but that could also be used internally, ie called to get the data I need for my web pages.
I changed the LoginController so that every time a user logs in, a Personal Access token is generated and stored in the database. When logging out, this token is deleted.
So as not to expose the token to the client side, I would like to use a middleware, that would detect, on an API call, if the request comes from a user who is already authenticated. If that's the case, I would retrieve the Personal Access token that belongs to the user, attach it to the request, and pass it onto the API.
Browser -- Query site.com/api/myRoute --> Middleware adds user's token to request if Auth::check() -- Pass-on request --> Controller
I've created a dummy API route to see if I can detect whether a user is authenticated, but that doesn't seem to work... I guess because the 'auth' middleware is not included.. however, if I do include it, I get redirected to home on every request...
Route::get('/test', function() {
if(Auth::check()) {
dd('Hello logged-in');
} else {
dd('Hello not logged-in');
}
});
Any lead on how to achieve that much appreciated!

Laravel two diffrent middleware authentication from auth middleware only

I have two seprate table for authentication. Following middleware pointing to different table:
$this->middleware('auth:admin'); // - admins
$this->middleware('auth'); // - user
The solution i need :
I want authentication must be done with two diffrent table through only
"$this->middleware('auth')" middleware
Through middleware "$this->middleware('auth')" I want to login both
admin and user. Currently admin and user login from diffrent
middleware I have shown above.
For this, in which file and where I need to change in my project folder?
If you want to have both "guards" be checked you can just pass multiple guards to the auth middleware.
$this->middleware('auth:web,admin');
This will spin through the guards passed and if any of them produce a user it will set that guard as the default moving forward.

Resources