Develop Reference

How to access Sanctum package in custom laravel package

i want to access laravel sanctum auth which is working fine in project routes
I'm making a custom package of api's which needs to use same sanctum authentication with in the custom package routes

use auth sanctum middleware for your routes, See below example.
https://laravel.com/docs/9.x/sanctum#protecting-routes

I was having the same problem, but I found that the packet routes did not have a default guard and the session was not accessible through the packet.
The solution was to add the 'web' middleware to the routes.
Before:
Route::get('/dashboard', [HomeController::class, 'index'])->middleware(['auth:sanctum'])->name('dashboard');
After:
Route::get('/dashboard', [HomeController::class, 'index'])->middleware(['web', 'auth:sanctum'])->name('dashboard');
For those who don't understand why this happens, the question is simple, the 'web' guard is automatically added to the routes that are in the web.php file, but for some reason this doesn't happen with the routes of packages.
Why is the 'web' guard necessary?
Actually, the 'web' guard is not needed, the point is that it bundles various middlewares including: \Illuminate\Session\Middleware\StartSession, which is what handles the user session, so if you don't want to include the 'web' guard in the routes, you you can create a custom middleware group with everything needed for your routes to work in the app\Http\Kernel.php file and the problem will be solved.

Sanctum Security Access with no token,

I'm using Laravel 8 / VueJs / Sanctum. And I found a small issue I'm not sure if its a security issue or not but I'm thinking its an exploit in Sanctum
I'm calling my Vue components in my blade files
And I can send and receive the response to all routes that I have in api.php without sending the token.
Also : All my routes are in sanctum middleware as you can see
all my routes are working fine but the one /user it redirect me to home
is that possible to receive a response without sending a token, after I logged in ?
if Yes why I can receive a response from all my routes but /user it redirect me to /home
Route::middleware(['auth:sanctum'])->group(function () {
Route::get('/user', function(Request $request){
return $request->user();
});
// Chat routes
Route::prefix('/chat')->group(function(){
Route::post('/messages', [App\Http\Controllers\Api\ApiChatController::class, 'store'])->name('api/send-message');
Route::get('/messages', [App\Http\Controllers\Api\ApiChatController::class, 'show'])->name('api/recent-chat');
Route::get('/messages/{user}', [App\Http\Controllers\Api\ApiChatController::class, 'show'])->name('api/open-chat');
Route::get('/threads', [App\Http\Controllers\Api\ApiChatController::class, 'index'])->name('api/all-chat-threads');
});
// dating routes
Route::prefix('/dating')->group(function(){
Route::get('/search', [App\Http\Controllers\DatingController::class, 'search'])->name('api/search');
});
});

Sanctum using token and cookie too for user auth. If you are calling over the browser a page which is guarded by sanctum then laravel use cookie auth. if you make a api calling by javascript then laravel needs the token.
So i think everything is right.

how to config role management middleware in laravel

I have some routes use with middleware
here is one example
Route::get('/TobeSubmit', 'AddsController#tobeSubmit')->name('TobeSubmit');
when I use this route outside of middleware its working. here is that middleware
Route::group(['middleware' => ['auth','Admin']],function (){ });
when I use that route inside middleware
Route::group(['middleware' => ['auth','superuser']],function (){
Route::get('/TobeSubmit', 'AddsController#tobeSubmit')->name('TobeSubmit');});
like this, its not working, that route use for data retrieving via AJAX.

The obvious response would be that the middleware is blocking the request, which in this case would mean that the requestor is not an Admin. Unfortunately we would need more information about the request in order to help you further.

Laravel api routes with auth

I'm trying to make an api route that's only accessible if the user making the request is logged in. This is what I have in my routes/api.php but it returns
{"error":"Unauthenticated."}
Route::group(['middleware' => ['auth:api'], function () {
Route::post('schedules', ['uses' => 'Api\ScheduleController#store']);
});
Can this be done without laravel passport and how? I only need the route for in-app use for logged in users.

I assumed the login mentioned is on "web" which using "session" as driver.
Your are getting this issue because "web" and "api" guard is using different driver for authentication. Take a look in config/auth.php. The "api" guard is using "token" as it's default driver.
Thus, you have few options to encounter this.
Move the route for "schedules" in web.php. No worry, your ajax will failed if not authenticated. But, take note that anything that involved POST method will require csrf (_token parameter), unless you are using laravel axios
Using authentication using api also which you can refer this tutorial for "token" driver and all your secure routes will be using token in its Authentication header

How to secure all controller if user not authed?

I use Laravel 5.2 and I am interested how to secure all controller if user is not authorized.
In this case user should be redirect to login page.
I try to make this using routing.
I set this code above all routes:
Route::auth();

use middleware. It will help to filter and secure all routes
https://laravel.com/docs/5.2/middleware

You have to just wrap up all needed routes by middleware group.
Route::group(['middleware' => 'auth'], function () {
Route::get('path1');
Route::get('path2');
Route::get('path3');
etc....
});
Also you need to create middleware class and register it in kernel