-
Notifications
You must be signed in to change notification settings - Fork 293
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Dynamic guard change for spa authorization #144
Comments
If you want to implement something like this just send in a pr. Thanks. |
@sergey-yabloncev did you manage to implement this, or begin working on anything? |
@lnpbk unfortunately, no. I refused to use the package as a SPA Authentication, I used it as the Tokens API. Additionally, by adding custom middleware checking the instanceof model of the authorized user for example <?php
namespace App\Http\Middleware;
use App\Models\User\Admin;
use Closure;
class VerifyAdmin
{
/**
* Handle an incoming request.
*
* @param \Illuminate\Http\Request $request
*
* @return mixed
*/
public function handle($request, Closure $next)
{
if (!(auth()->user() instanceof Admin)) {
abort(403);
}
return $next($request);
}
} App\Http\Kernel.php <?php
namespace App\Http;
//...
use App\Http\Middleware\VerifyAdmin;
use App\Http\Middleware\VerifyUser;
class Kernel extends HttpKernel
{
//...
protected $routeMiddleware = [
//...
'admin' => VerifyAdmin::class,
'user' => VerifyUser::class,
];
} use in route or controller Route::middleware(['auth:sanctum', 'admin']) get auth user in controller auth()->user() |
If you accept to avoid config caching, you can use a middleware to change it at runtime, taking your decision based on your application needs. // app/Http/Middleware/UpdateSanctumConfigForCustomGuard.php
<?php
namespace App\Http\Middleware;
use Closure;
class UpdateSanctumConfigForCustomGuard
{
/**
* Handle an incoming request.
*
* @param \Illuminate\Http\Request $request
* @param \Closure $next
* @return mixed
*/
public function handle($request, Closure $next)
{
// THIS WILL WORK ONLY IF CONFIG ISN'T CACHED
if(/* your condition */) {
// Without this, remember_me feature could break
// using the wrong cookie if guards use different user models/tables
config(['auth.defaults.guard' => 'custom_guard']);
config(['sanctum.guard' => 'custom_guard']);
}
return $next($request);
}
} You should then update the // app/Http/Kernel.php
/**
* The application's route middleware groups.
*
* @var array
*/
protected $middlewareGroups = [
'web' => [
\App\Http\Middleware\UpdateSanctumConfigForCentralApp::class,
// ...
],
'api' => [
\App\Http\Middleware\UpdateSanctumConfigForCentralApp::class,
// ...
],
]; And lastly add it to the API routes you want to use another guard // routes.api.php
Route::middleware(['auth:sanctum'])->group(function () {
// Routes using normal guard
Route::group(function () {
// ..
});
// Routes using the other guard
Route::middleware(UpdateSanctumConfigForCustomGuard::class)->group(function () {
// ..
});
}); |
@sergey-yabloncev - Your approach works just fine and I used it for the project I'm currently working on. I had much issues trying to run the tests. Most of the time when I want to inspect if I'm allowed to reach some sanctum guarded routes, while logged in with some session-based guards, I got status code 200, when I expect 401. Just for example: When I try to reach this route, I get status code 200. So thank you for sharing your approach. 🍻 |
@sergey-yabloncev Thank you for your example code. It was exactly what I needed. |
@ivand88 Tests wont work with acting as because sanctum is looks for api token and the Test should be like:
|
Were you able to get first party SPA authentication with this? I was not able to get sanctums x-csrf cookie based authentication to work |
@sergey-yabloncev - In the meantime I've actually found the resolution for my issue, explained here. |
@ivand88 Thanks so much! |
If the project uses multiple guards, for example web and admin, you can't use spa authorization for multiple guards.
This feature is provided for authorization via token.
https://github.com/laravel/sanctum/blob/2.x/src/Guard.php#L45
https://github.com/laravel/sanctum/blob/2.x/src/SanctumServiceProvider.php#L95
I would like to be able to set a guard in middleware, to use a similar design
The text was updated successfully, but these errors were encountered: