Set sanctum as default guard in config/auth.php

[kevalyq]

🎯 Objective

Update config/auth.php to set sanctum as the default guard instead of web, aligning configuration with SecPal's API-only, token-based architecture.

📋 Problem

Current State:

'defaults' => [
    'guard' => env('AUTH_GUARD', 'web'),  // ❌ Session-based default
],

'guards' => [
    'web' => [
        'driver' => 'session',
        'provider' => 'users',
    ],
    // ❌ Missing: sanctum guard configuration
],

Issue: Default guard is web (session-based), but SecPal is:

• Pure API (no server-rendered views)
• React PWA frontend with token storage
• Stateless authentication via Bearer tokens
• All routes use auth:sanctum middleware

Semantic Mismatch: Configuration suggests session-based auth, but reality is token-based.

📋 Changes Required

1. Change Default Guard

'defaults' => [
    'guard' => env('AUTH_GUARD', 'sanctum'),  // ✅ Token-based default
    'passwords' => env('AUTH_PASSWORD_BROKER', 'users'),
],

2. Add Sanctum Guard Configuration

'guards' => [
    'web' => [
        'driver' => 'session',
        'provider' => 'users',
    ],
    
    'sanctum' => [  // ✅ Add sanctum guard
        'driver' => 'sanctum',
        'provider' => 'users',
    ],
],

3. Update Documentation Comments

Add comment explaining SecPal's API-only architecture and why sanctum is the default.

✅ Acceptance Criteria

• Default guard changed: 'web' → 'sanctum'
• sanctum guard added to guards array
• Configuration comments updated to explain API-only architecture
• All tests pass (207 tests)
• PHPStan Level Max: 0 errors
• Laravel Pint: Clean
• No side effects on existing authentication

📊 Expected Impact

Before: Config defaults to web guard (semantically incorrect)
After: Config defaults to sanctum guard (matches actual architecture)

Benefits:

• ✅ Self-documenting configuration
• ✅ Consistent with User model $guard_name = 'sanctum' (Add $guard_name property to User model #129)
• ✅ Aligns config with actual authentication mechanism
• ✅ Clear intent for API-only architecture

🔗 Related

• Parent: [EPIC] Migrate Permission System from 'web' to 'sanctum' Guard #125 (EPIC: Migrate Permission System to sanctum guard)
• Depends on: Add $guard_name property to User model #129 (User model already declares sanctum guard)
• Follows: fix(tests): Migrate permission system from web to sanctum guard #133 (Tests and User model already use sanctum)

⏱️ Effort Estimate

Time: 10-15 minutes
Complexity: Low (configuration change, comprehensive test coverage)

🧪 Testing Strategy

# Run full test suite
ddev exec php artisan test

# Verify RoleApiTest (uses permissions)
ddev exec php artisan test --filter=RoleApiTest

# Verify AuthTest (token generation)
ddev exec php artisan test --filter=AuthTest

Expected: All 207 tests pass (no behavior change, config aligns with code)

📝 Implementation Notes

Why keep web guard?

• Laravel requires it for default password reset flow
• We only use it for password reset email verification (stateless token-based)
• Not used for actual authentication sessions

Why this matters:

• Config is documentation of architectural decisions
• Future developers immediately see "API-only, token-based"
• Prevents confusion about authentication mechanism

---

Created: 2025-11-09
Category: Configuration / Architecture
Scope: Single file change (config/auth.php)
Risk: Low (aligns existing code, all tests verify behavior)

[github-actions]

✅ This issue has been added to the SecPal Feature Roadmap with status: 💡 Ideas

New idea - needs discussion and evaluation

Status Flow:
💡 Ideas → 💬 Discussion → 📥 Backlog → 📋 Planned → 🚧 In Progress → 👀 In Review → ✅ Done

Note: Ideas that won't be implemented should be moved to 🚫 Won't Do with a reason.