Token cookie based authentication with Laravel and Sanctum returns unauthenticated - Stack Overflow

admin管理员组

文章数量:1122846

I login with;

curl --location 'http://localhost/api/login' \
--header 'Accept: application/json' \
--header 'Content-Type: application/json' \
--header 'Cookie: auth_token=eyJpdiI6InhKeXBxNG9VV1hNVDBJaWZ3V2VuNVE9PSIsInZhbHVlIjoiUWZWeGlFc1hzTHFuZWZ6SzVPVzM1MmhHSUFxL1N6K0FYZkNZM3FkUVh1SHF0akUwSTA2WUZjMjY0dTRsUFY4SjlRM3BlemFBejRraEkvd0Y0aHV3REpXVkdhZkE5ZWxhMFNzSzJjN09sUUMrdk9va1VBbjlQQm9ac21uaW0rUnIiLCJtYWMiOiIyZjBkOTNhODNiOTc2MGFkMzkzMmMyN2FlNDQ0OWE4NDNjMGJmMTRlMWJiMGI1MzYyYjNmMTMxYmVlNmFiZWRjIiwidGFnIjoiIn0%3D; laravel_session=iZ2O2glj1yVL8mskNGkgAJTLMRZQaFxMmaeyVBFr' \
--data-raw '{
    "email": "[email protected]",
    "password": "password"
}'

/routes/api.php

Route::post('/login', [AuthController::class, 'login'])->name('login');

/AuthController.php

<?php

namespace App\Http\Controllers;

use App\Models\User;
use Illuminate\Http\Request;
use Illuminate\Support\Facades\Hash;
use Illuminate\Support\Facades\Log;
use Laravel\Sanctum\HasApiTokens;

class AuthController extends Controller
{
    public function login(Request $request)
    {
        $secure = app()->environment('production');

        $request->validate([
            'email' => 'required|email',
            'password' => 'required|min:6',
        ]);

        $user = User::where('email', $request->email)->first();

        if ($user && Hash::check($request->password, $user->password)) {

            $request->session()->regenerate();
            $token = $user->createToken('FacilityManagementApp')->plainTextToken;

            return response()->json([
                'message' => 'Logged in successfully.',
                'user' => [
                    'id' => $user->id,
                    'name' => $user->name,
                    'email' => $user->email,
                    'role' => $user->role,
                ]
            ], 200)->cookie(
                'auth_token',
                $token,                     
                120,                         
                '/',                        
                null,                       
                $secure,                    
                true                        
            );
        }

        return response()->json(['error' => 'Unauthorized'], 401);
    }
}

I get responses;

{
    "message": "Logged in successfully.",
    "user": {
        "id": 2,
        "name": "Mertie Wisozk Sr.",
        "email": "[email protected]",
        "role": "user"
    }
}

and from personal_access_tokens i observe;

[
  {
    "id": 64,
    "tokenable_type": "App\\Models\\User",
    "tokenable_id": 2,
    "name": "FacilityManagementApp",
    "token": "fcab1bf4ae0bd7b1ebff188af5aa6a692c31c0a8d03a4fdb1f2fc08c5764cb4e",
    "abilities": "[\"*\"]",
    "last_used_at": null,
    "expires_at": null,
    "created_at": "2025-01-06 09:54:25",
    "updated_at": "2025-01-06 09:54:25"
  }
]

so, all looks good. I then try and hit an endpoint which is protected by Sanctum middleware;

Route::middleware('auth:sanctum')->get('/user', function (Request $request) {
    Log::debug('Authenticated User:', [$request->user()]);
    return $request->user();
});

like thus;

curl --location 'http://localhost/api/user' \
--header 'Cookie: auth_token=eyJpdiI6InhKeXBxNG9VV1hNVDBJaWZ3V2VuNVE9PSIsInZhbHVlIjoiUWZWeGlFc1hzTHFuZWZ6SzVPVzM1MmhHSUFxL1N6K0FYZkNZM3FkUVh1SHF0akUwSTA2WUZjMjY0dTRsUFY4SjlRM3BlemFBejRraEkvd0Y0aHV3REpXVkdhZkE5ZWxhMFNzSzJjN09sUUMrdk9va1VBbjlQQm9ac21uaW0rUnIiLCJtYWMiOiIyZjBkOTNhODNiOTc2MGFkMzkzMmMyN2FlNDQ0OWE4NDNjMGJmMTRlMWJiMGI1MzYyYjNmMTMxYmVlNmFiZWRjIiwidGFnIjoiIn0%3D; laravel_session=iZ2O2glj1yVL8mskNGkgAJTLMRZQaFxMmaeyVBFr'

and get an Unauthenticated response? I'm expecting Sanctum to verify the auth_token cookie and give me an authenticated user in the response?

Here's my efforts and various config files and contents;

File: app/Http/Controllers/AuthController.php
Content:
<?php

namespace App\Http\Controllers;

use App\Models\User;
use Illuminate\Http\Request;
use Illuminate\Support\Facades\Hash;
use Illuminate\Support\Facades\Log;
use Laravel\Sanctum\HasApiTokens;

class AuthController extends Controller
{
    public function login(Request $request)
    {
        $secure = app()->environment('production');

        $request->validate([
            'email' => 'required|email',
            'password' => 'required|min:6',
        ]);

        $user = User::where('email', $request->email)->first();

        if ($user && Hash::check($request->password, $user->password)) {

            $request->session()->regenerate();
            $token = $user->createToken('FacilityManagementApp')->plainTextToken;

            return response()->json([
                'message' => 'Logged in successfully.',
                'user' => [
                    'id' => $user->id,
                    'name' => $user->name,
                    'email' => $user->email,
                    'role' => $user->role,
                ]
            ], 200)->cookie(
                'auth_token',         // Cookie name
                $token,                     // Token value
                120,                         // Expiry time in minutes
                '/',                        // Path for which the cookie is valid
                null,                       // Domain (null means current domain)
                $secure,                    // Secure cookie (only transmitted over HTTPS)
                true                        // HttpOnly (cannot be accessed via JavaScript)
            );
        }

        return response()->json(['error' => 'Unauthorized'], 401);
    }




}
----------
File: routes/api.php
Content:
<?php


use Illuminate\Http\Request;
use Illuminate\Support\Facades\Log;
use Illuminate\Support\Facades\Route;
use App\Http\Controllers\AuthController;

Route::post('/login', [AuthController::class, 'login'])->name('login');

Route::middleware('auth:sanctum')->get('/user', function (Request $request) {
    Log::debug('Authenticated User:', [$request->user()]);
    return $request->user();
});





----------
File: config/sanctum.php
Content:
<?php

use Laravel\Sanctum\Sanctum;

return [

    'cookie' => [
        'name' => 'auth_token',
        'secure' => env('APP_ENV') === 'production',
    ],

    'stateful' => explode(',', env('SANCTUM_STATEFUL_DOMAINS', sprintf(
        '%s%s',
        'localhost,localhost:3000,localhost:5173,127.0.0.1,127.0.0.1:8000,::1',
        Sanctum::currentApplicationUrlWithPort()
    ))),

    'guard' => ['web'],

    'expiration' => 120,

    'token_prefix' => env('SANCTUM_TOKEN_PREFIX', ''),

    'middleware' => [
        'authenticate_session' => Laravel\Sanctum\Http\Middleware\AuthenticateSession::class,
        'encrypt_cookies' => Illuminate\Cookie\Middleware\EncryptCookies::class,
        'validate_csrf_token' => Illuminate\Foundation\Http\Middleware\ValidateCsrfToken::class,
    ],

];
----------
File: config/cors.php
Content:
<?php

return [
    'paths' => ['api/*', 'sanctum/csrf-cookie'],
    'allowed_methods' => ['*'],
    'allowed_origins' => ['http://localhost:5173'],
    'allowed_origins_patterns' => [],
    'allowed_headers' => ['Authorization', 'Content-Type', 'Cookie'],
    'exposed_headers' => [],
    'max_age' => 0,
    'supports_credentials' => true,
];

----------
File: config/auth.php
Content:
<?php

return [


    'defaults' => [
        'guard' => env('AUTH_GUARD', 'api'),
        'passwords' => env('AUTH_PASSWORD_BROKER', 'users'),
    ],

    'guards' => [
        'web' => [
            'driver' => 'session',
            'provider' => 'users',
        ],

        'api' => [
            'driver' => 'sanctum',
            'provider' => 'users',
            'hash' => false,
        ],
    ],


    'providers' => [
        'users' => [
            'driver' => 'eloquent',
            'model' => env('AUTH_MODEL', App\Models\User::class),
        ],

        // 'users' => [
        //     'driver' => 'database',
        //     'table' => 'users',
        // ],
    ],



    'passwords' => [
        'users' => [
            'provider' => 'users',
            'table' => env('AUTH_PASSWORD_RESET_TOKEN_TABLE', 'password_reset_tokens'),
            'expire' => 60,
            'throttle' => 60,
        ],
    ],



    'password_timeout' => env('AUTH_PASSWORD_TIMEOUT', 10800),

];
----------
File: bootstrap/app.php
Content:
<?php

use Illuminate\Auth\AuthenticationException;
use Illuminate\Cookie\Middleware\EncryptCookies;
use Illuminate\Foundation\Application;
use Illuminate\Foundation\Configuration\Exceptions;
use Illuminate\Foundation\Configuration\Middleware;
use Illuminate\Routing\Middleware\SubstituteBindings;
use Illuminate\Session\Middleware\StartSession;
use Illuminate\View\Middleware\ShareErrorsFromSession;
use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
use Illuminate\Support\Facades\Log;
use Illuminate\Http\Middleware\HandleCors;
use Laravel\Sanctum\Http\Middleware\EnsureFrontendRequestsAreStateful;

return Application::configure(basePath: dirname(__DIR__))
    ->withRouting(
        web: __DIR__.'/../routes/web.php',
        api: __DIR__.'/../routes/api.php',
        commands: __DIR__.'/../routes/console.php',
        health: '/up',
    )
    ->withMiddleware(function (Middleware $middleware) {
        $middleware->use([
            HandleCors::class,
            StartSession::class,
            EnsureFrontendRequestsAreStateful::class,
            EncryptCookies::class,
            ShareErrorsFromSession::class
        ]);
    })
    ->withExceptions(function (Exceptions $exceptions) {
        $exceptions->render(function (AuthenticationException $e, $request) {

            if ($request->expectsJson()) {
                return response()->json(['message' => 'Unauthenticated'], 401);
            }
            return response('Unauthenticated', 401);
        });

        $exceptions->render(function (NotFoundHttpException $e, $request) {
            Log::debug("Caught NotFoundHttpException in exception handler: " . $e->getMessage());

            if ($request->expectsJson()) {
                return response()->json(['message' => 'Resource not found'], 404);
            }
            return response()->view('errors.404', [], 404);
        });

        $exceptions->render(function (\Exception $e, $request) {
            Log::debug('Request Info:', [
                'headers' => $request->headers->all(),
                'cookies' => $request->cookies->all(),
                'body' => $request->getContent(),
            ]);
            Log::error("Caught uncaught exception in exception handler: " . get_class($e) . ": " . $e->getMessage());

            return response()->json(['message' => 'Something went wrong'], 500);
        });
    })
    ->create();



----------
File: .env
Content:
APP_NAME=Laravel
APP_ENV=local
APP_KEY=base64:9gWy0+pqvHZwKGzZhZDGf4i4j+yndF24d6ZBO04nTek=
APP_DEBUG=true
APP_TIMEZONE=UTC
APP_URL=http://localhost


SANCTUM_STATEFUL_DOMAINS=localhost,localhost:5173,localhost:3000,127.0.0.1,127.0.0.1:8000,::1



AUTH_GUARD=api
AUTH_PASSWORD_BROKER=users
AUTH_MODEL=App\Models\User


APP_LOCALE=en
APP_FALLBACK_LOCALE=en
APP_FAKER_LOCALE=en_US

APP_MAINTENANCE_DRIVER=file
# APP_MAINTENANCE_STORE=database

PHP_CLI_SERVER_WORKERS=4

BCRYPT_ROUNDS=12

LOG_CHANNEL=stack
LOG_STACK=single
LOG_DEPRECATIONS_CHANNEL=null
LOG_LEVEL=debug

DB_CONNECTION=mysql
DB_HOST=db
DB_PORT=3306
DB_DATABASE=facil_manag_app
DB_USERNAME=laravel
DB_PASSWORD=password

SESSION_DOMAIN=localhost
SESSION_DRIVER=cookie
SESSION_LIFETIME=120
SESSION_ENCRYPT=false
SESSION_PATH=/
SESSION_SECURE_COOKIE=false

BROADCAST_CONNECTION=log
FILESYSTEM_DISK=local
QUEUE_CONNECTION=database

CACHE_STORE=database
CACHE_PREFIX=

MEMCACHED_HOST=127.0.0.1

REDIS_CLIENT=phpredis
REDIS_HOST=127.0.0.1
REDIS_PASSWORD=null
REDIS_PORT=6379

MAIL_MAILER=log
MAIL_HOST=127.0.0.1
MAIL_PORT=2525
MAIL_USERNAME=null
MAIL_PASSWORD=null
MAIL_ENCRYPTION=null
MAIL_FROM_ADDRESS="[email protected]"
MAIL_FROM_NAME="${APP_NAME}"

AWS_ACCESS_KEY_ID=
AWS_SECRET_ACCESS_KEY=
AWS_DEFAULT_REGION=us-east-1
AWS_BUCKET=
AWS_USE_PATH_STYLE_ENDPOINT=false

VITE_APP_NAME="${APP_NAME}"

I've been as verbose as i can with my middleware and config setup in order to give you a through understanding of my approach. If you can think of anything else - i'd be happy to supply it to you. It's probably a simple setting somewhere but i'm unable to find out what it is currently? help.

I login with;

curl --location 'http://localhost/api/login' \
--header 'Accept: application/json' \
--header 'Content-Type: application/json' \
--header 'Cookie: auth_token=eyJpdiI6InhKeXBxNG9VV1hNVDBJaWZ3V2VuNVE9PSIsInZhbHVlIjoiUWZWeGlFc1hzTHFuZWZ6SzVPVzM1MmhHSUFxL1N6K0FYZkNZM3FkUVh1SHF0akUwSTA2WUZjMjY0dTRsUFY4SjlRM3BlemFBejRraEkvd0Y0aHV3REpXVkdhZkE5ZWxhMFNzSzJjN09sUUMrdk9va1VBbjlQQm9ac21uaW0rUnIiLCJtYWMiOiIyZjBkOTNhODNiOTc2MGFkMzkzMmMyN2FlNDQ0OWE4NDNjMGJmMTRlMWJiMGI1MzYyYjNmMTMxYmVlNmFiZWRjIiwidGFnIjoiIn0%3D; laravel_session=iZ2O2glj1yVL8mskNGkgAJTLMRZQaFxMmaeyVBFr' \
--data-raw '{
    "email": "[email protected]",
    "password": "password"
}'

/routes/api.php

Route::post('/login', [AuthController::class, 'login'])->name('login');

/AuthController.php

<?php

namespace App\Http\Controllers;

use App\Models\User;
use Illuminate\Http\Request;
use Illuminate\Support\Facades\Hash;
use Illuminate\Support\Facades\Log;
use Laravel\Sanctum\HasApiTokens;

class AuthController extends Controller
{
    public function login(Request $request)
    {
        $secure = app()->environment('production');

        $request->validate([
            'email' => 'required|email',
            'password' => 'required|min:6',
        ]);

        $user = User::where('email', $request->email)->first();

        if ($user && Hash::check($request->password, $user->password)) {

            $request->session()->regenerate();
            $token = $user->createToken('FacilityManagementApp')->plainTextToken;

            return response()->json([
                'message' => 'Logged in successfully.',
                'user' => [
                    'id' => $user->id,
                    'name' => $user->name,
                    'email' => $user->email,
                    'role' => $user->role,
                ]
            ], 200)->cookie(
                'auth_token',
                $token,                     
                120,                         
                '/',                        
                null,                       
                $secure,                    
                true                        
            );
        }

        return response()->json(['error' => 'Unauthorized'], 401);
    }
}

I get responses;

{
    "message": "Logged in successfully.",
    "user": {
        "id": 2,
        "name": "Mertie Wisozk Sr.",
        "email": "[email protected]",
        "role": "user"
    }
}

and from personal_access_tokens i observe;

[
  {
    "id": 64,
    "tokenable_type": "App\\Models\\User",
    "tokenable_id": 2,
    "name": "FacilityManagementApp",
    "token": "fcab1bf4ae0bd7b1ebff188af5aa6a692c31c0a8d03a4fdb1f2fc08c5764cb4e",
    "abilities": "[\"*\"]",
    "last_used_at": null,
    "expires_at": null,
    "created_at": "2025-01-06 09:54:25",
    "updated_at": "2025-01-06 09:54:25"
  }
]

so, all looks good. I then try and hit an endpoint which is protected by Sanctum middleware;

Route::middleware('auth:sanctum')->get('/user', function (Request $request) {
    Log::debug('Authenticated User:', [$request->user()]);
    return $request->user();
});

like thus;

curl --location 'http://localhost/api/user' \
--header 'Cookie: auth_token=eyJpdiI6InhKeXBxNG9VV1hNVDBJaWZ3V2VuNVE9PSIsInZhbHVlIjoiUWZWeGlFc1hzTHFuZWZ6SzVPVzM1MmhHSUFxL1N6K0FYZkNZM3FkUVh1SHF0akUwSTA2WUZjMjY0dTRsUFY4SjlRM3BlemFBejRraEkvd0Y0aHV3REpXVkdhZkE5ZWxhMFNzSzJjN09sUUMrdk9va1VBbjlQQm9ac21uaW0rUnIiLCJtYWMiOiIyZjBkOTNhODNiOTc2MGFkMzkzMmMyN2FlNDQ0OWE4NDNjMGJmMTRlMWJiMGI1MzYyYjNmMTMxYmVlNmFiZWRjIiwidGFnIjoiIn0%3D; laravel_session=iZ2O2glj1yVL8mskNGkgAJTLMRZQaFxMmaeyVBFr'

and get an Unauthenticated response? I'm expecting Sanctum to verify the auth_token cookie and give me an authenticated user in the response?

Here's my efforts and various config files and contents;

File: app/Http/Controllers/AuthController.php
Content:
<?php

namespace App\Http\Controllers;

use App\Models\User;
use Illuminate\Http\Request;
use Illuminate\Support\Facades\Hash;
use Illuminate\Support\Facades\Log;
use Laravel\Sanctum\HasApiTokens;

class AuthController extends Controller
{
    public function login(Request $request)
    {
        $secure = app()->environment('production');

        $request->validate([
            'email' => 'required|email',
            'password' => 'required|min:6',
        ]);

        $user = User::where('email', $request->email)->first();

        if ($user && Hash::check($request->password, $user->password)) {

            $request->session()->regenerate();
            $token = $user->createToken('FacilityManagementApp')->plainTextToken;

            return response()->json([
                'message' => 'Logged in successfully.',
                'user' => [
                    'id' => $user->id,
                    'name' => $user->name,
                    'email' => $user->email,
                    'role' => $user->role,
                ]
            ], 200)->cookie(
                'auth_token',         // Cookie name
                $token,                     // Token value
                120,                         // Expiry time in minutes
                '/',                        // Path for which the cookie is valid
                null,                       // Domain (null means current domain)
                $secure,                    // Secure cookie (only transmitted over HTTPS)
                true                        // HttpOnly (cannot be accessed via JavaScript)
            );
        }

        return response()->json(['error' => 'Unauthorized'], 401);
    }




}
----------
File: routes/api.php
Content:
<?php


use Illuminate\Http\Request;
use Illuminate\Support\Facades\Log;
use Illuminate\Support\Facades\Route;
use App\Http\Controllers\AuthController;

Route::post('/login', [AuthController::class, 'login'])->name('login');

Route::middleware('auth:sanctum')->get('/user', function (Request $request) {
    Log::debug('Authenticated User:', [$request->user()]);
    return $request->user();
});





----------
File: config/sanctum.php
Content:
<?php

use Laravel\Sanctum\Sanctum;

return [

    'cookie' => [
        'name' => 'auth_token',
        'secure' => env('APP_ENV') === 'production',
    ],

    'stateful' => explode(',', env('SANCTUM_STATEFUL_DOMAINS', sprintf(
        '%s%s',
        'localhost,localhost:3000,localhost:5173,127.0.0.1,127.0.0.1:8000,::1',
        Sanctum::currentApplicationUrlWithPort()
    ))),

    'guard' => ['web'],

    'expiration' => 120,

    'token_prefix' => env('SANCTUM_TOKEN_PREFIX', ''),

    'middleware' => [
        'authenticate_session' => Laravel\Sanctum\Http\Middleware\AuthenticateSession::class,
        'encrypt_cookies' => Illuminate\Cookie\Middleware\EncryptCookies::class,
        'validate_csrf_token' => Illuminate\Foundation\Http\Middleware\ValidateCsrfToken::class,
    ],

];
----------
File: config/cors.php
Content:
<?php

return [
    'paths' => ['api/*', 'sanctum/csrf-cookie'],
    'allowed_methods' => ['*'],
    'allowed_origins' => ['http://localhost:5173'],
    'allowed_origins_patterns' => [],
    'allowed_headers' => ['Authorization', 'Content-Type', 'Cookie'],
    'exposed_headers' => [],
    'max_age' => 0,
    'supports_credentials' => true,
];

----------
File: config/auth.php
Content:
<?php

return [


    'defaults' => [
        'guard' => env('AUTH_GUARD', 'api'),
        'passwords' => env('AUTH_PASSWORD_BROKER', 'users'),
    ],

    'guards' => [
        'web' => [
            'driver' => 'session',
            'provider' => 'users',
        ],

        'api' => [
            'driver' => 'sanctum',
            'provider' => 'users',
            'hash' => false,
        ],
    ],


    'providers' => [
        'users' => [
            'driver' => 'eloquent',
            'model' => env('AUTH_MODEL', App\Models\User::class),
        ],

        // 'users' => [
        //     'driver' => 'database',
        //     'table' => 'users',
        // ],
    ],



    'passwords' => [
        'users' => [
            'provider' => 'users',
            'table' => env('AUTH_PASSWORD_RESET_TOKEN_TABLE', 'password_reset_tokens'),
            'expire' => 60,
            'throttle' => 60,
        ],
    ],



    'password_timeout' => env('AUTH_PASSWORD_TIMEOUT', 10800),

];
----------
File: bootstrap/app.php
Content:
<?php

use Illuminate\Auth\AuthenticationException;
use Illuminate\Cookie\Middleware\EncryptCookies;
use Illuminate\Foundation\Application;
use Illuminate\Foundation\Configuration\Exceptions;
use Illuminate\Foundation\Configuration\Middleware;
use Illuminate\Routing\Middleware\SubstituteBindings;
use Illuminate\Session\Middleware\StartSession;
use Illuminate\View\Middleware\ShareErrorsFromSession;
use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
use Illuminate\Support\Facades\Log;
use Illuminate\Http\Middleware\HandleCors;
use Laravel\Sanctum\Http\Middleware\EnsureFrontendRequestsAreStateful;

return Application::configure(basePath: dirname(__DIR__))
    ->withRouting(
        web: __DIR__.'/../routes/web.php',
        api: __DIR__.'/../routes/api.php',
        commands: __DIR__.'/../routes/console.php',
        health: '/up',
    )
    ->withMiddleware(function (Middleware $middleware) {
        $middleware->use([
            HandleCors::class,
            StartSession::class,
            EnsureFrontendRequestsAreStateful::class,
            EncryptCookies::class,
            ShareErrorsFromSession::class
        ]);
    })
    ->withExceptions(function (Exceptions $exceptions) {
        $exceptions->render(function (AuthenticationException $e, $request) {

            if ($request->expectsJson()) {
                return response()->json(['message' => 'Unauthenticated'], 401);
            }
            return response('Unauthenticated', 401);
        });

        $exceptions->render(function (NotFoundHttpException $e, $request) {
            Log::debug("Caught NotFoundHttpException in exception handler: " . $e->getMessage());

            if ($request->expectsJson()) {
                return response()->json(['message' => 'Resource not found'], 404);
            }
            return response()->view('errors.404', [], 404);
        });

        $exceptions->render(function (\Exception $e, $request) {
            Log::debug('Request Info:', [
                'headers' => $request->headers->all(),
                'cookies' => $request->cookies->all(),
                'body' => $request->getContent(),
            ]);
            Log::error("Caught uncaught exception in exception handler: " . get_class($e) . ": " . $e->getMessage());

            return response()->json(['message' => 'Something went wrong'], 500);
        });
    })
    ->create();



----------
File: .env
Content:
APP_NAME=Laravel
APP_ENV=local
APP_KEY=base64:9gWy0+pqvHZwKGzZhZDGf4i4j+yndF24d6ZBO04nTek=
APP_DEBUG=true
APP_TIMEZONE=UTC
APP_URL=http://localhost


SANCTUM_STATEFUL_DOMAINS=localhost,localhost:5173,localhost:3000,127.0.0.1,127.0.0.1:8000,::1



AUTH_GUARD=api
AUTH_PASSWORD_BROKER=users
AUTH_MODEL=App\Models\User


APP_LOCALE=en
APP_FALLBACK_LOCALE=en
APP_FAKER_LOCALE=en_US

APP_MAINTENANCE_DRIVER=file
# APP_MAINTENANCE_STORE=database

PHP_CLI_SERVER_WORKERS=4

BCRYPT_ROUNDS=12

LOG_CHANNEL=stack
LOG_STACK=single
LOG_DEPRECATIONS_CHANNEL=null
LOG_LEVEL=debug

DB_CONNECTION=mysql
DB_HOST=db
DB_PORT=3306
DB_DATABASE=facil_manag_app
DB_USERNAME=laravel
DB_PASSWORD=password

SESSION_DOMAIN=localhost
SESSION_DRIVER=cookie
SESSION_LIFETIME=120
SESSION_ENCRYPT=false
SESSION_PATH=/
SESSION_SECURE_COOKIE=false

BROADCAST_CONNECTION=log
FILESYSTEM_DISK=local
QUEUE_CONNECTION=database

CACHE_STORE=database
CACHE_PREFIX=

MEMCACHED_HOST=127.0.0.1

REDIS_CLIENT=phpredis
REDIS_HOST=127.0.0.1
REDIS_PASSWORD=null
REDIS_PORT=6379

MAIL_MAILER=log
MAIL_HOST=127.0.0.1
MAIL_PORT=2525
MAIL_USERNAME=null
MAIL_PASSWORD=null
MAIL_ENCRYPTION=null
MAIL_FROM_ADDRESS="[email protected]"
MAIL_FROM_NAME="${APP_NAME}"

AWS_ACCESS_KEY_ID=
AWS_SECRET_ACCESS_KEY=
AWS_DEFAULT_REGION=us-east-1
AWS_BUCKET=
AWS_USE_PATH_STYLE_ENDPOINT=false

VITE_APP_NAME="${APP_NAME}"

I've been as verbose as i can with my middleware and config setup in order to give you a through understanding of my approach. If you can think of anything else - i'd be happy to supply it to you. It's probably a simple setting somewhere but i'm unable to find out what it is currently? help.

• laravel-11
• sanctum

Share Improve this question Follow asked yesterday cookiecookie 2,71888 gold badges3737 silver badges6565 bronze badges

Add a comment  | 

1 Answer 1

Sorted by: Reset to default 0

Adding middleware for API requests i.e. setting the Authorization Bearer header to the secure cookie value $token fixes this.

php artisan make:middleware AttachAuthToken

app/Http/Middleware

class AttachAuthToken
{
    /**
     * Handle an incoming request.
     *
     * @param  \Closure(\Illuminate\Http\Request): (\Symfony\Component\HttpFoundation\Response)  $next
     */
    public function handle(Request $request, Closure $next)
    {
        // Retrieve token from cookie
        if ($token = $request->cookie('auth_token')) {
            // Attach the token as a Bearer token in the Authorization header
            $request->headers->set('Authorization', 'Bearer ' . $token);
        }

        return $next($request);
    }

}

bootstrap/app.php

->withMiddleware(function (Middleware $middleware) {
        $middleware->use([
            ...
            AttachAuthToken::class,
            ...
        ]);
    })

本文标签： Token cookie based authentication with Laravel and Sanctum returns unauthenticatedStack Overflow