From 35b26d55585222f932d399de5b11f7b2b00ac3e6 Mon Sep 17 00:00:00 2001 From: Bilfeldt Date: Thu, 29 Oct 2020 11:57:03 +0100 Subject: [PATCH 1/2] Add note about laravel/ui and Laraven Nova Adding a note to the API section about _First-Party UI Initiated Requests_ for applications using `laravel/ui` for authentication instead of Sanctum. This includes a code example for policies to be compatible with Laravel Nova. --- 1.x/features/api.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/1.x/features/api.md b/1.x/features/api.md index eb09110..3337dcc 100644 --- a/1.x/features/api.md +++ b/1.x/features/api.md @@ -57,3 +57,9 @@ $request->user()->tokenCan('read'); When a user makes a request to a route within your `routes/web.php` file, the request will typically be authenticated by Sanctum through a cookie based `web` guard. Since the user is making a first-party request through the application UI in this scenario, the `tokenCan` method will always return `true`. At first, this behavior may seem strange; however, it is convenient to be able to always assume an API token is available and can be inspected via the `tokenCan` method. This means that within your application's authorizations policies you may always call this method without fear that there is no token associated with the request. + +Note that the `tokenCan` only deaults to true for first-party API request authenticated using Laravel Sanctum as described in the [Laraven Sanctum docs]https://laravel.com/docs/8.x/sanctum#token-abilities). This method will not default to true for applications using other authentication like [laravel/ui](https://github.com/laravel/ui) which is used by for example [Laravel Nova](https://nova.laravel.com/). In such cases policies using `tokenCan` needs to check manually if the request is comming from a first-party UI not authenticated by Sanctum: + +```php +request()->is('nova-api/*') || $request->user()->tokenCan('read'); // Check if an API request from Laravel Nova +``` From fd56591ae1e42bb475c285205a5bb78e0e2afaf6 Mon Sep 17 00:00:00 2001 From: Bilfeldt Date: Thu, 29 Oct 2020 11:58:33 +0100 Subject: [PATCH 2/2] Fix spelling error Fix spelling error of `defaults` --- 1.x/features/api.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/1.x/features/api.md b/1.x/features/api.md index 3337dcc..d3ac96e 100644 --- a/1.x/features/api.md +++ b/1.x/features/api.md @@ -58,7 +58,7 @@ When a user makes a request to a route within your `routes/web.php` file, the re At first, this behavior may seem strange; however, it is convenient to be able to always assume an API token is available and can be inspected via the `tokenCan` method. This means that within your application's authorizations policies you may always call this method without fear that there is no token associated with the request. -Note that the `tokenCan` only deaults to true for first-party API request authenticated using Laravel Sanctum as described in the [Laraven Sanctum docs]https://laravel.com/docs/8.x/sanctum#token-abilities). This method will not default to true for applications using other authentication like [laravel/ui](https://github.com/laravel/ui) which is used by for example [Laravel Nova](https://nova.laravel.com/). In such cases policies using `tokenCan` needs to check manually if the request is comming from a first-party UI not authenticated by Sanctum: +Note that the `tokenCan` only defaults to true for first-party API request authenticated using Laravel Sanctum as described in the [Laraven Sanctum docs]https://laravel.com/docs/8.x/sanctum#token-abilities). This method will not default to true for applications using other authentication like [laravel/ui](https://github.com/laravel/ui) which is used by for example [Laravel Nova](https://nova.laravel.com/). In such cases policies using `tokenCan` needs to check manually if the request is comming from a first-party UI not authenticated by Sanctum: ```php request()->is('nova-api/*') || $request->user()->tokenCan('read'); // Check if an API request from Laravel Nova