Inside my API routes, Auth::user() does not return anything.
I've read that this is because API's are stateless. And I should use Passport.
Could anyone explain why this is and if there is any way to get the Auth user in the API without using passport (or similar)?
The API routes use the auth:api guard, and do not use web middleware, which means there are no sessions attached to it. Passport is there to bridge the gap between a user and the API by using token based authentication. If you want your API to use sessions, simply give it auth instead of auth:api middleware
You can use jwt-auth which uses token based authentication. It provides an 'jwt.auth' middleware through which you can access Auth::user() without session over an api.
Related
the more I read about Laravel Spa (Vue) authentication, the more I ask myself about the "best way" to authenticate with Sanctum.
Official Laravel documentation says:
For this feature, Sanctum does not use tokens of any kind. Instead,
Sanctum uses Laravel's built-in cookie based session authentication
services. This approach to authentication provides the benefits of
CSRF protection, session authentication, as well as protects against
leakage of the authentication credentials via XSS.
But a lot of videos on YouTube or other tutorials on the internet all using (bearer) tokens which sounds contradictory to me. I mean, just using a single token for authentication seems to be a bit unsafe to me.
Also, some of those people defined "login" and "register" routes directly into Laravels route file, instead of using Vue router.
I'm using Laravel 8, VueJS 3 and Vuex 4.
So, what do you think: Am I on the right way by using Vue routes and sanctum authentication using cookies or not? And why?
Thank you, I appreciate that.
I am using Sanctum for SPA authentication. In several examples I have seen, people are creating auth routes (login, logout, register) in their web.php routes file as opposed to the api.php routes file. Is there a reason for this? In the documentation I do see a mention here...
You may be wondering why we suggest that you authenticate the routes
within your application's routes/web.php file using the sanctum guard.
Remember, Sanctum will first attempt to authenticate incoming requests
using Laravel's typical session authentication cookie. If that cookie
is not present then Sanctum will attempt to authenticate the request
using a token in the request's Authorization header. In addition,
authenticating all requests using Sanctum ensures that we may always
call the tokenCan method on the currently authenticated user instance
...but that is for API Token Authentication and not directly under SPA Authentication.
Is there any reason my auth routes would be better handled in web.php?
Well, in a typical Laravel application, your API routes are stateless and do not persist a session; specifically they do not have the start session middleware.
As such, cookie based authentication will not work if you put these routes in your API file.
Having these routes in your web file allows these specific routes to be wrapped in a session, allowing cookie based authentication and then falls back to using the stateless Authorization header if required.
I forget the exact words, but Taylor is quite a fan of SPAs using cookie based authentication when they're the same domain over API tokens.
But this should explain the reasoning. You are, of course, welcome to change this if you like.
I am newbie with laravel.
I understand that in order to protect routes, you have to first check if a user is authenticated and a session is made. thus, we apply auth middleware in the web routes.
However, I am trying to implement laravel passport and now I am not able to proceed to my routes anymore since I have been authenticated using the passport.
My question is that is it possible to secure the web routes with passport token instead of laravel session? and if so, how one should do it?
Thanks, sorry for english, not native speaker.
Laravel passport is for API routes not for web routes you can use laravel session for web
for more details read it's documentation
https://laravel.com/docs/8.x/passport
Me and my friend are creating an application. I'm using Laravel 5.4 as the backend and he uses Angular2 as frontend.
The Laravel project serves as a rest API with JWTauth token authentication.
Now I would like to make a small backend dashboard in the Laravel project that is only accessible by admins.
How would I go about using different authentication (with session) instead of tokens when I just browse to the api backend part?
This is pretty straightforward. Just apply the JWT auth middleware to the API routes and the normal auth middleware to your admin dashboard. You don't even need to tweak anything since JWT doesn't need changes to your table structure or need for changing the existing auth.
Build the backend dashboard using the built int auth scaffolding using the auth and guest middleware. For the api routes use the standard api middleware along with the jwt.auth middleware if you're using the tymondesigns/jwt-auth package. There will be no conflict with these two.
Bro use separate guard like
$loginUser = Auth::guard('web')->loginUsingId(12,true);
Using Laravel 5.3 I've set up a web app that consumes its own API. Authentication successfully handled by Passport. Web app uses auth middleware in routes and Model Policies for authorization. API routing uses default 'auth:api' token guard to control access.
I would like to use the same Policies in app/Policies for API authorization as well as the web auth, but I don't understand how. Calls such as $this->authorize('view', $model) do not work. I guess I need to pass the user from Auth::guard('api')->user() to the Policies somehow?
Any help would be appreciated!
Update: Got it working.
Seems that even for the API calls Laravel was still using the user from the web guard to check against policies. This user is undefined for API calls. So I needed to tell Laravel that all API calls should use the api guard.
Create a new middleware with Auth::shouldUse('api'); in the handle function.
Assign the middleware to the api section in the kernel.
Laravel will now use the api guard for all API requests. Calls like $this->authorize('view', $model) will work in both web and api.
Update: Got it working.
Seems that even for the API calls Laravel was still using the user from the web guard to check against policies. This user is undefined for API calls. So I needed to tell Laravel that all API calls should use the api guard.
Create a new middleware with Auth::shouldUse('api'); in the handle function.
Assign the middleware to the api section in the kernel.
Laravel will now use the api guard for all API requests. Calls like $this->authorize('view', $model) will work in both web and api.
Just use auth:api middleware for routes with Policies