feat: Add Sanctum API token authentication (Issue #50 PR-4) #60
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
- Add HasApiTokens trait to User model - Create personal_access_tokens migration (Sanctum requirement) - Implement AuthController with token generation, logout, logout-all - Add public /auth/token endpoint for token generation - Add protected /auth/logout and /auth/logout-all endpoints - Add example protected /me endpoint demonstrating auth:sanctum middleware - Add comprehensive AuthTest with 18 test cases covering: * Token generation (valid/invalid credentials, validation, multi-device) * Protected endpoint access (authentication required, token validation) * Token revocation (single/all tokens, database verification) * Security (no sensitive data exposure, token hashing) - Extend PHPStan ignores for PEST framework test patterns - All 57 tests passing (140 assertions) - PHPStan level max: 0 errors - Pint: PSR-12 compliant Scope: ~450 LOC (Controller: 77, Migration: 32, Tests: 264, Routes: 17) Addresses: #50
Contributor
There was a problem hiding this comment.
Pull Request Overview
This PR implements token-based API authentication using Laravel Sanctum. The implementation includes token generation, protected endpoints, token revocation, and comprehensive security tests.
- Adds
AuthControllerwith methods for token generation, single logout, and logout-all functionality - Integrates Laravel Sanctum into the User model and creates the required personal access tokens migration
- Defines public and protected API routes with Sanctum authentication middleware
Reviewed Changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| app/Http/Controllers/AuthController.php | New controller implementing token generation and revocation endpoints |
| app/Models/User.php | Adds HasApiTokens trait to enable Sanctum token functionality |
| database/migrations/2025_11_01_195727_create_personal_access_tokens_table.php | Creates database table for storing Sanctum personal access tokens |
| routes/api.php | Defines public token generation route and protected authenticated routes |
| tests/Feature/AuthTest.php | Comprehensive test suite covering authentication flows, token management, and security |
| phpstan.neon | Updates PHPStan ignore patterns to accommodate test method calls |
- Extract validation to TokenRequest FormRequest (Laravel best practice) - Refine PHPStan ignores: specific methods instead of wildcards - Fix /me endpoint: explicit field selection to prevent sensitive data exposure - Maintain type safety while supporting PEST framework patterns Resolves all 4 Copilot review comments from PR #60.
- TokenRequest: Add 'nullable' to device_name validation (Comment #6) - AuthController: Extract /me closure to me() method (Comment #5) - routes/api.php: Replace inline closure with controller route - AuthTest.php: Replace ALL assertStatus() with specific methods: - assertCreated() for 201 responses (7 occurrences) - assertUnprocessable() for 422 responses (4 occurrences) - assertUnauthorized() for 401 responses (4 occurrences) - assertOk() for 200 responses (5 occurrences) - phpstan.neon: Add new assertion methods to ignore patterns All 57 tests passing, Pint compliant, PHPStan 0 errors.
- Add messages() method to TokenRequest for custom validation messages (Laravel best practice: FormRequests should provide user-friendly errors) - Fix null-safety in AuthTest line 89: first()->name to first()?->name (Prevents potential null pointer exception in test assertions) These issues should have been caught in pre-commit self-review. Root cause: Mechanical comment fixes without thorough code quality check. Quality lesson learned: ALWAYS do comprehensive self-review BEFORE push, not just fix automated comments. Check Laravel conventions, null-safety, and best practices proactively.
This was referenced Nov 1, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Implements Sanctum-based API token authentication as part of Issue #50 (Multi-tenant KEK management).
This PR adds token-based authentication for API endpoints, enabling secure API access with token generation, validation, and revocation.
Changes
Core Implementation
HasApiTokenstrait for Sanctum integrationPOST /v1/auth/token: Generate API tokens with email/password credentialsPOST /v1/auth/logout: Revoke current tokenPOST /v1/auth/logout-all: Revoke all user tokenspersonal_access_tokenstable for Sanctum token storageauth:sanctummiddleware/v1/meendpoint demonstrating authenticated accessTesting
Quality Gates
Code Metrics
Review Checklist Compliance
Pre-push review performed per
DEVELOPMENT.md:git diffreviewed: No duplication, clear intent, proper structureddev exec ./vendor/bin/pest: 57 tests passingddev exec ./vendor/bin/pint: PSR-12 compliantddev exec ./vendor/bin/phpstan analyse: 0 errorsRefreshDatabasetrait used in AuthTestRelated
Notes
sanctum.expiration)