chore: use a more explicit install command in docs to force latest version

CodeWithKyrian · CodeWithKyrian · commit c84322f31e1e · 2025-08-19T17:16:18.000+01:00
[skip ci]
diff --git a/README.md b/README.md
@@ -35,7 +35,7 @@ This package supports the **2025-03-26** version of the Model Context Protocol.
 Install the package via Composer:
 
 ```bash
-composer require php-mcp/laravel
+composer require php-mcp/laravel:^3.0 -W
 ```
 
 Publish the configuration file:
diff --git a/samples/basic/app/Models/User.php b/samples/basic/app/Models/User.php
@@ -6,11 +6,12 @@
 use Illuminate\Database\Eloquent\Factories\HasFactory;
 use Illuminate\Foundation\Auth\User as Authenticatable;
 use Illuminate\Notifications\Notifiable;
+use Laravel\Sanctum\HasApiTokens;
 
 class User extends Authenticatable
 {
     /** @use HasFactory<\Database\Factories\UserFactory> */
-    use HasFactory, Notifiable;
+    use HasFactory, Notifiable, HasApiTokens;
 
     /**
      * The attributes that are mass assignable.
diff --git a/samples/basic/composer.json b/samples/basic/composer.json
@@ -11,6 +11,7 @@
     "require": {
         "php": "^8.2",
         "laravel/framework": "^12.0",
+        "laravel/sanctum": "^4.0",
         "laravel/tinker": "^2.10.1",
         "php-mcp/laravel": "dev-main"
     },
diff --git a/samples/basic/composer.lock b/samples/basic/composer.lock
diff --git a/samples/basic/config/mcp.php b/samples/basic/config/mcp.php
@@ -95,7 +95,7 @@
             'legacy' => (bool) env('MCP_HTTP_INTEGRATED_LEGACY', false),
             'route_prefix' => env('MCP_HTTP_INTEGRATED_ROUTE_PREFIX', 'mcp'),
             'stateless' => (bool) env('MCP_HTTP_INTEGRATED_STATELESS', true),
-            'middleware' => explode(',', env('MCP_HTTP_INTEGRATED_MIDDLEWARE', 'api')),
+            'middleware' => ['api', 'auth:sanctum'],
             'domain' => env('MCP_HTTP_INTEGRATED_DOMAIN'),
             'sse_poll_interval' => (int) env('MCP_HTTP_INTEGRATED_SSE_POLL_SECONDS', 1),
             'cors_origin' => env('MCP_HTTP_INTEGRATED_CORS_ORIGIN', '*'),
diff --git a/samples/basic/config/sanctum.php b/samples/basic/config/sanctum.php
@@ -0,0 +1,84 @@
+<?php
+
+use Laravel\Sanctum\Sanctum;
+
+return [
+
+    /*
+    |--------------------------------------------------------------------------
+    | Stateful Domains
+    |--------------------------------------------------------------------------
+    |
+    | Requests from the following domains / hosts will receive stateful API
+    | authentication cookies. Typically, these should include your local
+    | and production domains which access your API via a frontend SPA.
+    |
+    */
+
+    'stateful' => explode(',', env('SANCTUM_STATEFUL_DOMAINS', sprintf(
+        '%s%s',
+        'localhost,localhost:3000,127.0.0.1,127.0.0.1:8000,::1',
+        Sanctum::currentApplicationUrlWithPort(),
+        // Sanctum::currentRequestHost(),
+    ))),
+
+    /*
+    |--------------------------------------------------------------------------
+    | Sanctum Guards
+    |--------------------------------------------------------------------------
+    |
+    | This array contains the authentication guards that will be checked when
+    | Sanctum is trying to authenticate a request. If none of these guards
+    | are able to authenticate the request, Sanctum will use the bearer
+    | token that's present on an incoming request for authentication.
+    |
+    */
+
+    'guard' => ['web'],
+
+    /*
+    |--------------------------------------------------------------------------
+    | Expiration Minutes
+    |--------------------------------------------------------------------------
+    |
+    | This value controls the number of minutes until an issued token will be
+    | considered expired. This will override any values set in the token's
+    | "expires_at" attribute, but first-party sessions are not affected.
+    |
+    */
+
+    'expiration' => null,
+
+    /*
+    |--------------------------------------------------------------------------
+    | Token Prefix
+    |--------------------------------------------------------------------------
+    |
+    | Sanctum can prefix new tokens in order to take advantage of numerous
+    | security scanning initiatives maintained by open source platforms
+    | that notify developers if they commit tokens into repositories.
+    |
+    | See: https://docs.github.com/en/code-security/secret-scanning/about-secret-scanning
+    |
+    */
+
+    'token_prefix' => env('SANCTUM_TOKEN_PREFIX', ''),
+
+    /*
+    |--------------------------------------------------------------------------
+    | Sanctum Middleware
+    |--------------------------------------------------------------------------
+    |
+    | When authenticating your first-party SPA with Sanctum you may need to
+    | customize some of the middleware Sanctum uses while processing the
+    | request. You may change the middleware listed below as required.
+    |
+    */
+
+    'middleware' => [
+        'authenticate_session' => Laravel\Sanctum\Http\Middleware\AuthenticateSession::class,
+        'encrypt_cookies' => Illuminate\Cookie\Middleware\EncryptCookies::class,
+        'validate_csrf_token' => Illuminate\Foundation\Http\Middleware\ValidateCsrfToken::class,
+    ],
+
+];
diff --git a/samples/basic/database/migrations/2025_08_08_121817_create_personal_access_tokens_table.php b/samples/basic/database/migrations/2025_08_08_121817_create_personal_access_tokens_table.php
@@ -0,0 +1,33 @@
+<?php
+
+use Illuminate\Database\Migrations\Migration;
+use Illuminate\Database\Schema\Blueprint;
+use Illuminate\Support\Facades\Schema;
+
+return new class extends Migration
+{
+    /**
+     * Run the migrations.
+     */
+    public function up(): void
+    {
+        Schema::create('personal_access_tokens', function (Blueprint $table) {
+            $table->id();
+            $table->morphs('tokenable');
+            $table->text('name');
+            $table->string('token', 64)->unique();
+            $table->text('abilities')->nullable();
+            $table->timestamp('last_used_at')->nullable();
+            $table->timestamp('expires_at')->nullable()->index();
+            $table->timestamps();
+        });
+    }
+
+    /**
+     * Reverse the migrations.
+     */
+    public function down(): void
+    {
+        Schema::dropIfExists('personal_access_tokens');
+    }
+};
diff --git a/samples/basic/dump.rdb b/samples/basic/dump.rdb
diff --git a/samples/basic/routes/api.php b/samples/basic/routes/api.php
@@ -0,0 +1,8 @@
+<?php
+
+use Illuminate\Http\Request;
+use Illuminate\Support\Facades\Route;
+
+Route::get('/user', function (Request $request) {
+    return $request->user();
+})->middleware('auth:sanctum');
diff --git a/samples/basic/routes/mcp.php b/samples/basic/routes/mcp.php
@@ -5,13 +5,18 @@
 use App\Mcp\GetArticleContent;
 use App\Mcp\GetAppVersion;
 use PhpMcp\Laravel\Facades\Mcp;
+use Illuminate\Support\Facades\Auth;
 
 Mcp::tool('welcome_message', GenerateWelcomeMessage::class);
 
 Mcp::resource('app://version', GetAppVersion::class)
     ->name('laravel_app_version')
     ->mimeType('text/plain');
 
+Mcp::tool('get_me', function () {
+    return Auth::user();
+});
+
 Mcp::resourceTemplate('content://articles/{articleId}', GetArticleContent::class)
     ->name('article_content')
     ->mimeType('application/json');
