Suddenly my application stopped working when trying to access endpoints protected by auth:api middleware in the Laravel 5.6.35 back-end using Passport 7.0.1.
The issue is that it is generating when I register and log-in.
return Response::json([
'token' => $user->createToken('foobar')->accessToken,
'user' => $user
], HTTPResponse::$HTTP_OK);
Insomnia rest will then show the following when accessing the routes belonging to the auth:api middleware.
"message": "Unauthenticated."
It was working until an hour ago, and it stopped after I refreshed the database. I dropped and created a new one, registered a test user and attempted to access and endpoint passing the token as Bearer token and Accept header to application/json. I've done it like this many times, always running php artisan passport:install --force after each refresh.
I don't know how to solve it. I saw where it was failing in TokenGuard.php file, but what to do? Why has it suddenly stopped?
The reason of the issue was because I was setting another field as the primary key of users table, and it was causing an error in the Passport's auto-generated tables.
you must reinstall the passport after refreshed the database.Then only Token will generate
php artisan passport:install
In case you are using Apache Server, Add this line to your httpd.conf file.
SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
Related
I have tried so many options I could think of or find online, user details are still persisted even after successful deletion of all the tokens!
I am using Laravel sanctum with Vue. The logout function I created works as expected when I use postman to make the request, but this is not the case when I make the request via axios from the browser. The tokens gets deleted quite alright but I still can access protected routes.
I have also tried
Auth::logout()
I have continued to try this using sanctum and web as guard.
Any help will be appreciated.
I'm currently trying to test an SPA using Laravel 8.19.0 and Postman 7.36.1 but I keep getting an "Unauthenticated" response from a route that's guarded by "auth:sanctum", even though I have logged in correctly.
As far as I can understand, I've followed the documentation fully at https://laravel.com/docs/8.x/sanctum
in order to set Sanctum up to be used for SPA so I've done the following:
Installed Sanctum.
Published the Sanctum config.
Performed a migration.
Included the EnsureFrontendRequestsAreStateful middleware and 'EnsureFrontendRequestsAreStateful::class' to the Http Kernal.
Added my local domains (same top-level domain but 1 with the "test" sub domain and another with "api") to the "stateful domains" option in the Sanctum config file.
Set the "supports_credentials" option in the cors config to "true".
Set my top level domain, prefixed with a "." for the "domain" option in the session config.
Then, I've set Postman up using the guide at https://blog.codecourse.com/laravel-sanctum-airlock-with-postman/
so I've written a script to get the CSRF token from "/sanctum/csrf-cookie" then used said token as the value for the "X-XSRF-TOKEN" in the request header and I can succesfully log in. however, when I try to access a route afterwards that's guarded by the "auth:sanctum" guard, even with the referrer and 'X-XSRF-TOKEN' being set up in the request header I cannot access the route.
After debugging, I can see that $this->auth->guard($guard)->check() is returning false in the authenticate($request, array $guards) method where $guard = "sanctum" in \vendor\laravel\framework\src\Illuminate\Auth\Middleware\Authenticate.php on line 63 because $this->user() is null for the Illuminate\Auth\RequestGuard instance.
Any help or even ideas on things to check would be greatly appreciated as I'm unsure on what to do from here, short of spending a day digging deeper into the request guard object and its instantiation!
Thanks.
The issue a lot folk are seeing when using Postman with Sanctum SPA authentication is that you simply need to add an additional header to your requests, This can be "Referrer" or "Origin" and the value must match the domains set in the sanctum.php config file. e.g. localhost or mysite.test etc.
vendor/laravel/sanctum/src/Http/Middleware/EnsureFrontendRequestsAreStatefull.php in the fromFrontEnd() method is where you can see this requirement. Laravel V8.x and I believe also in Laravel V7.x
Issue has since been resolved and was caused by Postman only saving the "XSRF-TOKEN" and "laravel_session" cookies to the "test" subdomain after logging in (the login URL used this sub domain) and thus not passing them to the "api" subdomain when trying to access the route which was protected by "auth:sanctum". By adding the same cookies to the "api" subdomain via the "Manage Cookies" menu in Postman, the route can now be accessed as intended.
So I'm creating a laravel app where part of the front end lives on a cold fusion site and the people interacting with my API are not "users", just people signing up for seminars/consultations. My question is I've been able to grant tokens using the grant_type client credentials and in the web.php file with ->middleware('client') attached to the route (or a route group for multiple routes) it works just fine. However I've been told to move them into my api.php file and everything. I cannot seem to get it to work. In postman all I get for a response is to be brought back to the login page because I am not a logged in user. Any ideas?
in api file every middleware that wants to check credential use authorizing it means you should use laravel passport for
Hello To All I'm facing problem for using passport Oauth2 Authentication in laravel 5.4, I am working on project where I define two routes
1. For login through API http://localhost:8000/api/login from Which, I got a response as Access Token.
2. Another for get user details http://localhost/api/user and I am getting the user details.
But When I deploy my App to server and try to Hit the above two URL in Postman I am getting the access token but While tried to access the user with the generated access token. It send me error of Unauthenticated.
Do I need to generate passport key in server with php artisan passport:keys
Yes you'll need the encryption keys on the server as well:
php artisan passport:keys
// or with new installations
php artisan passport:install
Also ensure you're using the correct auth guard, auth:api, when accessing the user:
// middleware
Route::group(['middleware' => ['auth:api'])->(...)
// and with the user helper
auth('api')->user()
I have a react app that fetch datas from laravel api defined like so in routes/api.php:
// this is default route provided by laravel out of the box
Route::middleware('auth:api')->get('/user', function (Request $request) {
return $request->user();
});
// ItemController provides an index methods that list items with json
Route::resource('items', 'Api\ItemController', array('except' => array('create','edit')));
// this is to store new users
Route::resource('users', 'Api\UserController', array('only' => array('store')));
for example http://example.com/api/items returns the data as intended but it's really insecure since anyone could access it through postman.
How to make those routes only accessible inside the app?
As I'm new to it I don't understand if I need to set up api_token and how?
Do I need to setup Passport?
Is is related to auth:api middleware?
It may sounds really basic but any help or tutorial suggestions would be greatly appreciated
EDIT
End up with a classic session auth. Moved routes inside web.php. Pass csrf token in ajax request. Actually i didn't need a RESTful API. You only need token auth when your API is stateless.
As you are using Laravel 5.4 you can use Passport, but I haven't implemented yet, but i implemented lucadegasperi/oauth2-server-laravel for one of my laravel projects and it was developed in Laravel 5.1
Here is the link to github repository
lucadegasperi/oauth2-server-laravel
Here is the link to the documentation Exrensive Documentation
Just add the package to the composer json and run composer update,the package will get installed to your application , once installed add the providers array class and aliases array class as mentioned in the Laravel 5 installation part of the documentation,
you have to do a small tweak in order to work perfectly cut csrf from $middleware array and paste it into $routeMiddleware array and again run php artisan vendor:publish after publishing the migrations will be created and run the migration php artisan migrate
if you only want to secure api routes for each client like ios, android and web you can implement Client Credentials Grant, or if you need to every user with oauth the you can implement Authorization Server with the Password Grant or some other.,
Never use the client id or other credentials, generating access token in the form, but add it some where in helper and attach it in the request to the api,
Hope this answer helps you.
You could use JWT it's pretty easy to get it to work. You basically generate a token by requesting Username/Password and passing that token in every request that requires authentication, your URL would look like http://example.com/api/items?token=SOME-TOKEN. without a proper token, he doesn't have access do this endpoint.
As for
How to make those routes only accessible inside the app?
If you mean only your app can use these requests, you can't. Basically the API doesn't know who is sending these requests, he can only check if what you are giving is correct and proceed with it if everything is in order. I'd suggest you to have a look at this question