How to enable both api and web guard in laravel

你。 提交于 2021-01-27 04:27:31

问题


Laravel 5.7

PHP 7.2.10

Currently I am able to use any one of web and api guards, is there any way to allow both, so that both web app and api will work together.

Something like

return [

    /*
    |--------------------------------------------------------------------------
    | Authentication Defaults
    |--------------------------------------------------------------------------
    |
    | This option controls the default authentication "guard" and password
    | reset options for your application. You may change these defaults
    | as required, but they're a perfect start for most applications.
    |
    */

    'defaults' => [
        'guard' => 'api|web',
        'passwords' => 'users',
    ],

with out using schema, here is a solution/workaround which needs changes in schema, what I will not prefer. Also I do not need access token for registration, what this answer is doing.

api.php

Route::group([
    'middleware' => 'api|web',
    'prefix' => 'auth'
], function ($router) {

   Route::post('register', 'Auth\AuthController@register')->name('api.register');
    Route::post('forgot-password', 'Auth\ForgotPasswordController@forgotPassword')->name('api.forgot-password');
    Route::post('login', 'Auth\AuthController@login')->name('api.login');
    Route::middleware('auth')->post('logout', 'Auth\AuthController@logout')->name('api.logout');

web.php

Auth::routes(['verify' => true]);
Route::prefix('admin')->group(function () {
 Route::middleware('auth', 'permission:super-admin|association-member')->resource('users', 'Auth\UserController');
});

config/auth.php

return [

    /*
    |--------------------------------------------------------------------------
    | Authentication Defaults
    |--------------------------------------------------------------------------
    |
    | This option controls the default authentication "guard" and password
    | reset options for your application. You may change these defaults
    | as required, but they're a perfect start for most applications.
    |
    */

    'defaults' => [
        'guard' => 'web', //api
        'passwords' => 'users',
    ],

    /*
    |--------------------------------------------------------------------------
    | Authentication Guards
    |--------------------------------------------------------------------------
    |
    | Next, you may define every authentication guard for your application.
    | Of course, a great default configuration has been defined for you
    | here which uses session storage and the Eloquent user provider.
    |
    | All authentication drivers have a user provider. This defines how the
    | users are actually retrieved out of your database or other storage
    | mechanisms used by this application to persist your user's data.
    |
    | Supported: "session", "token"
    |
    */

    'guards' => [
        'web' => [
            'driver' => 'session',
            'provider' => 'users',
        ],

        'api' => [
            'driver' => 'jwt',
            'provider' => 'users',
        ],
    ],

Update As @apokryfos said, If you want both to work for both then yes. However, I think that's bad practice. API routes should only allow API authentication since web authentication usually uses the session which API routes don't use anyway. If I were you I'd take a step back and rethink my entire strategy.

I too do not want to make both work for both, I just want to make work both api and web app parallelly, now I am able to use any one of them.

Update2 As @Lim Kean Phang suggested the git issue link

I changed

  protected function respondWithToken($token)
    {
        return response()->json([
            'access_token' => $token,
            'token_type' => 'bearer',
            'expires_in' =>  auth('api')->factory()->getTTL() * 60,//auth()->factory()->getTTL() * 60,
            'status' => 200,
            "response" => "Successfully login",
        ]);
    }

The expires_in value, but now I am not getting the access token.

The api response is

{
    "access_token": true,
    "token_type": "bearer",
    "expires_in": 31536000,
    "status": 200,
    "response": "Successfully login"
}

Update 3 Added a github issue as could not find any possible solution to make it work.


回答1:


I changed the AuthController to something like

<?php

namespace App\Http\Controllers;

use Auth;
use Illuminate\Http\Request;

class AuthController extends Controller
{
    /**
     * Create a new AuthController instance.
     *
     * @return void
     */
    public function __construct()
    {
        $this->middleware('auth:api', ['except' => ['login']]);
    }

    /**
     * Get a JWT via given credentials.
     *
     * @return \Illuminate\Http\JsonResponse
     */
    public function login()
    {
        $credentials = request(['username', 'password']);

        $token = auth()->guard('api')->attempt($credentials);

        if (!$token) {
            return response()->json(['error' => 'Unauthorized'], 401);
        }

        return $this->respondWithToken($token);
    }

    /**
     * Log the user out (Invalidate the token).
     *
     * @return \Illuminate\Http\JsonResponse
     */
    public function logout()
    {
        auth()->guard('api')->logout();

        return response()->json(['message' => 'Successfully logged out']);
    }

    /**
     * Refresh a token.
     *
     * @return \Illuminate\Http\JsonResponse
     */
    public function refresh()
    {
        return $this->respondWithToken(auth()->refresh());
    }

    /**
     * Get the token array structure.
     *
     * @param string $token
     *
     * @return \Illuminate\Http\JsonResponse
     */
    protected function respondWithToken($token)
    {
        return response()->json([
            'access_token' => $token,
            'token_type'   => 'bearer',
            'expires_in'   => auth('api')->factory()->getTTL() * 60,
        ]);
    }
}

And in api.php changing auth to jwt.auth solves the problem.

Route::group([
    'middleware' => 'api',
    'prefix' => 'auth'
], function ($router) {

    Route::post('register', 'Auth\AuthController@register')->name('api.register');
    Route::post('forgot-password', 'Auth\ForgotPasswordController@forgotPassword')->name('api.forgot-password');
    Route::post('login', 'Auth\AuthController@login')->name('api.login');
    Route::middleware('jwt.auth')->post('logout', 'Auth\AuthController@logout')->name('api.logout');
    Route::middleware('auth')->post('refresh', 'Auth\AuthController@refresh')->name('api.refresh');
    Route::middleware('jwt.auth')->post('me', 'Auth\AuthController@me')->name('api.me');
});



回答2:


API route, you should use postman from chrome/app to test the API

Route::group(['prefix' => 'auth',namespace =>'App\Http\Controller'], function () {
    Route::post('login', 'Auth\AuthController@login')->name('api.login');

    Route::group(['middleware' => 'auth:api'], function () {

       Route::post('register', 'Auth\AuthController@register')->name('api.register');
        Route::post('forgot-password', 'Auth\ForgotPasswordController@forgotPassword')->name('api.forgot-password');
        Route::post('logout', 'Auth\AuthController@logout')->name('api.logout');
});
});

Config/auth.php

return [

/*
|--------------------------------------------------------------------------
| Authentication Defaults
|--------------------------------------------------------------------------
|
| This option controls the default authentication "guard" and password
| reset options for your application. You may change these defaults
| as required, but they're a perfect start for most applications.
|
*/

'defaults' => [
    'guard' => 'web',
    'passwords' => 'users',
],

/*
|--------------------------------------------------------------------------
| Authentication Guards
|--------------------------------------------------------------------------
|
| Next, you may define every authentication guard for your application.
| Of course, a great default configuration has been defined for you
| here which uses session storage and the Eloquent user provider.
|
| All authentication drivers have a user provider. This defines how the
| users are actually retrieved out of your database or other storage
| mechanisms used by this application to persist your user's data.
|
| Supported: "session", "token"
|
*/

'guards' => [
    'web' => [
        'driver' => 'session',
        'provider' => 'users',
    ],

    'api' => [
        'driver' => 'jwt',
        'provider' => 'users',
    ],
],



回答3:


I just came across this issue myself, and post my answer in case anyone finds it useful.

In my case I need my API to be accessible both by my website and by external clients. The website uses the session guard, because the browser automatically includes any session cookie with each request. The other clients use the api guard with the token driver, because they don't handle cookies, but use the token_id field in the users table.

// contig/auth.php
'guards' => [
    'web' => [
        'driver' => 'session',
        'provider' => 'users',
    ],
    'api' => [
        'driver' => 'token',
        'provider' => 'users',
    ],
],

Now I can protect my routes like this:

// routes/api.php
Route::group(['middleware' => ['auth:web,api']], function () {
    Route::get('/abc', 'MyController@abc');
});

Note the web,api syntax supported out of the box by Laravel, but undocumented. I realized this is possible by analyzing Laravel's source code.




回答4:


setting the default driver in the constructor also works:

public function __construct() {
   auth()->setDefaultDriver('api');
}

and if you've configured everything correctly then calling Auth::guard() should return Tymon\JWTAuth\JWTGuard

alternatively you can also pass the driver as param to guard method like this:

private method guard() {
   return Auth::guard('api'); // Tymon\JWTAuth\JWTGuard
}



回答5:


You can not use both guard (web & api) at same time so what you have to do is generate the jwt using JWTAuth::attempt function like below.

  1. add below code at the top of the AuthController
use JWTAuth;
  1. update login function with below code.
    public function login(){
            $credentials = request(['email', 'password']);

            if (! $token = JWTAuth::attempt($credentials)) {
                return response()->json(['error' => 'Unauthorized'], 401);
                }
                return response()->json(['status'=>200,'token'=>$token]);
    }
  1. Make sure in auth.php you are using web guard.

This will generate the token and you will be able to use both the auth guards.



来源:https://stackoverflow.com/questions/54477420/how-to-enable-both-api-and-web-guard-in-laravel

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!