I have an Laravel-base API which handles both client and admin endpoints (there are two sites like domain.com and admin.domain.com).
My auth is based on cookie, which domain is <.domain.com>. As you can see, this cookie is acceptable for both domains.
I use Eloquent Api Resources for transformation data layer. Is my when() route check here safe and right?
public function toArray($request)
{
return [
'name' => $this->name,
'created_at' => (string)$this->created_at,
'status' => $this->when($request->route()->getName() === 'api.admin.users.index', $this->status)
];
}
Before I used $this->when(Auth::check(), ...), but because my auth cookie is acceptable for client site too, unneeded data might be fetched.
My route:
Route::group(['prefix' => 'admin', 'as' => 'api.admin.', 'middleware' => 'auth:api'], function () {
Route::resource('users', ...);
});
If user is not authorized, he wouldn't get data because of middleware. At the same time, authorized used (who has non-expired cookie) wouldn't get unneded data while being on client site.
Thank you!
I think your approach is fine. The route name is something internal and the user cannot tinker with it. You could improve it by using \Route::is('api.admin.*') though. It would then work for all of your admin API routes.
Related
I'm trying to create a login page with laravel web route. When user login, a session record will be saved to database. But in session table, user_id always get null value.
I've found that in Illuminate\Session\DatabaseSessionHandler, function userId() always return null. It's because I set default guard for api. This is my config/auth.php:
'defaults' => [
'guard' => 'api',
'passwords' => 'users',
],
When I change default guard to web, column user_id in database has value is authorized user id. I don't want to change my default guard to web.
How can I set guard driver for session? Is there something like Auth, we can use Auth::guard('web').
Thanks
Typically, API's are not associated with keeping session state between requests.
You can always add additional groups with seperate guards to the same routes and use them according to your needs. E.g.
Route::group(['middleware' => 'auth:api'], function () {
Route::post('/user', 'UserController#apiUser');
}
Route::group(['middleware' => 'auth'], function () {
Route::post('/user', 'UserController#index');
}
and then seperately reference
$user = auth('web')->user();
or
$user = auth('api')->user();
Read here for a Laravel API implementation using Passport. You may also want to consider Laravel Sanctum which offers support for API token generation for your users.
I am trying to code a login function for my api that takes a username and password then give you a password grant token to make api requests. The login route when called gives you
{
"message": "Unauthenticated."
}
I am using passport on laravel to do secure the api. Why am I getting a 401 when the route does not have the auth:api middleware? I tried using a clousure to see if I get could get a response and the closure did not give me an error.
Route::group(['prefix' => '/v1', 'middleware' => ['auth:api'], 'namespace' => 'Api\V1', 'as' => 'api.'], function () {
Route::post('/post/like','PostLikeController#store');
});
Route::group(['prefix' => '/v1', 'namespace' => 'Api\V1', 'as' => 'api.'], function () {
Route::post('login', 'Auth\LoginController#login');
});
Does your login controller have a constructor? sometimes middleware is set in there?
Otherwise I've also had issues with having the middleware routes above the public ones.
Try putting the public routes in the file first and also checking the LoginController.php for a constructor which might be setting a middleware
It possibly due to the same prefixes, as it does not overriding but instead stacking on top of each other.
I suggest for your login route, possibly, you can use this
Route::post('login', 'Auth\LoginController#login')->withoutMiddleware([FooMiddleware::class]);
If it's still does not help try putting your login route above the middlewared route.
I have created an extra middleware admin and I want to protect my routes. Adding one single middleware 'auth' or 'auth:admin' is working.
Route::get('/calendar', function () {
return view('app', ['data' => []);
})->middleware('auth');
But I want that as an admin you can also access the user routes but this is not working. If I try the following, and I log in as an admin I get redirected to the login page all the time.
Route::get('/information', ['middleware' => ['auth', 'auth:admin'], function () {
return view('app', ['data' => ['auth' => Auth::check()]]);
}]);
But if I change ['auth', 'auth:admin'] to ['auth:admin','auth'] it is working for admin but not for user. So it seems that only the first element of my middleware in array is being recognized. Does anybody have any idea why my multiple middlewares are working seperate but not together? Any help is appreciated
If you are trying to allow multiple 'guards' to be checked for a route you can pass multiple guards as parameters to the Authenticate middleware, auth.
auth:web,admin (assuming web is your default guard).
This will try to resolve a user (Authenticatable) from each guard passed in. If any guard returns a user (Authenticatable) you pass through authenticated. If not you are a guest.
If you set the middleware auth and auth:admin those are 2 separate 'middleware' in the stack that are unrelated.
Route::get('/information', ['middleware' => ['auth', 'auth:admin'],function () {
return view('app', ['data' => ['auth' => Auth::check()]]);
}]);
in this code. ['auth', 'auth:admin'] that's mean you need to login default guard and admin guard. if you need only login admin guard, ['auth:admin']
I am building a site which loads all pages and content via javascript while also manipulating the browser address bar (giving the illusion of a normal, navigable site with each page at its own URL). As a fallback, and for the benefit of search engines, the pages must also be able to be loaded normally at their respective URLs.
To do this, I need to let Laravel know if the page data is being requested via an ajax call or normal HTTP request. This- I presume- would be a situation where I would use Middleware. I want to be able to process the pages using two different controllers; one for ajax, one for HTTP.
ie:
if (Request::ajax()){
forward request to ajax page controller
}else {
forward request to standard page controller
}
Is this possible to handle with middleware? All examples I can find seem to assume that the controller is already a given.
I use the routes.php file instead of middleware. I believe middleware is after the route has been determined.
if(Request::ajax() || Request::json()){
Route::get('items', [
'as' => 'api.posts.index' ,
'uses' => 'Api\ItemsController#index'
]);
} else {
Route::get('items', [
'as' => 'posts.index' ,
'uses' => 'ItemsController#index'
]);
}
I do it this way because I like to separate out the urls for json versus web.
Route::get('items', [
'as' => 'posts.index' ,
'uses' => 'ItemsController#index'
]);
/**
* JSON API
*
*/
Route::group([
'prefix' => 'api/v1',
'as' => 'api.',
'namespace' => 'Api'
], function () {
Route::get('items', [
'as' => 'posts.index' ,
'uses' => 'ItemsController#index'
]);
}
Either way your controllers would live here.
App/Http/Controllers/Api/ItemsController.php
App/Http/Controllers/ItemsController.php
EDIT
I read the comment form GONG and the RouteServiceProvider would also work for this, but you would still have two distinct urls. You would have to manage another routes file, but whatever works for you.
I am trying to implement a JWT library for an API I am working on and I want to be able to wrap my entire API route group in token checks with a small number of exceptions. The problem I am having is not specific to JWT.
In a controller constructor, when I apply the middleware, I am able to use this syntax to apply jwt.auth to the entire controller and exclude the 'authenticate' endpoint.
public function __construct()
{
// Apply the jwt.auth middleware to all methods in this controller
// except for the authenticate method. We don't want to prevent
// the user from retrieving their token if they don't already have it
$this->middleware('jwt.auth', ['except' => ['authenticate']]);
}
When I attempt to do the same thing in my route group I cannot get the 'exception' array to pass correctly. This causes the authenticate method to require a token (which it can't require because it is the endpoint to RETRIEVE the token).
Route::group(['prefix' => 'api', 'middleware' => 'jwt.auth', 'except' => ['authenticate']], function()
{
Route::resource('authenticate', 'AuthenticateController', ['only' => ['index']]);
Route::post('authenticate', 'AuthenticateController#authenticate');
});
I have a feeling this is a syntax issue, but I cannot find anyone else asking this question and the parser doesn't choke on it, it just doesn't work. Any help would be much appreciated!
I took a brief look in laravel/framework and I didn't see support for this. I would suggest using nested Route::group's something like the following.
Route::group(['prefix' => 'api'], function() {
// Not explicitly behind a middleware
// However a controller could still have a middleware injected.
Route::controller('Auth/AuthController');
// Authenticated Routes
Route::group(['middleware' => 'auth'], function() {
Route::get('secret', 'SecretsController#index');
});
});