In this video I'm going to use Laravel Sanctum to authenticate requests to an API using session-based and token-based authentication. While doing so, I'm going show you all the possible errors that you might get and how to fix them.
This is one of a kind of a video. Usually we don't really get to see such tutorials where one touches all the points about a technology in this details. Thank you Mohamed.
Heya, thanks for your series on multi-tenancy within Laravel - extremely useful and very well explained. I was wondering do you have any advice in using Sanctum with multiple tenants? I am aiming to use it towards two separate auth flows for both Admin and User tables, but finding it a bit confusing as to where the personal access tokens should be stored. Open to better solutions if had anyway. Any guidance would be awesome - thanks again!
How to add prefix in default /login & /register api in laravel sanctum ? Ex. Default api are /login & /register I want /api/login & /api/register How to achieve this? Also in /user api i am getting many fields like id,name,email,created_date I just want name and email id How to do that?
Hi Mohamed!... this work for me exacticly like you show us, but when I set https(certbot in nginx) for both, app and api, don't work any more, always throw cors error... please help!
excellent ! one question: if im using standard laravel authentication, is the @csrf directive enough instead of getting cookie through 'sanctum/csrf-cookie' for consuming routes protected by sanctum middleware? thanks
Hi Mohamed Said your videos are very informative and I'd say it's premium videos, thank you so much. I have question regarding on laravel passport client generated access token. It seems the access token generated once login is too 'long' and when I checked it from the database, the generated token it's seems did'nt match. Is there a possibility to find the generated access token from database(generated token after login)?. We love to hear from you or watch another video breaking down whats behind the scene of laravel passport :)
I have mine setup like this, but Auth::logout() throws "Method Illuminate\Auth\RequestGuard::logout does not exist." on POST to /api/logout and also my Login unit test throws "Session store not set on request." on POST to /api/login. I am using the default Laravel AuthenticatesUsers trait. Both those routes point to the AuthenticatesUsers trait.
I can fix the unit test error by adding this middleware to the 'api' middleware group in Kernel.php: \Illuminate\Session\Middleware\StartSession::class, But I can't find any information on the internet about why RequestGuard::logout doesn't exist.
Bonus update: I can fix the logout error by removing the logout route (ie: Route::post('logout', 'Auth\LoginController@logout')->name('logout'); ) from the group with "auth:sanctum" middleware, and placing it by itself. I have no way to validate if this is correct. The logout route seems like something the docs should show in the minimal example code. Bonus update update: I just noticed everything still works in my repo if I move the login route into my guest middleware group (which has LoginController's middleware except logout), so it means that Sanctum is intended to be used with Auth::routes() in the web.php file's root closure. I am almost certain I am about to make a change of this nature and it may alleviate the session store problem because I have everything in api.php currently.
Great tuts Mohamed, if im going to use a SPA that fetch data from API that implements Oauth2, what do u think is the best way to secure the token, should i shorten the expiration for like half an hour and force the user to login, and obtain new token ! is that secure enough!
You could do that but the UX will suck, no one likes to keep logging in again and again. Honestly I don't think there's a secure way to store a token when the frontend is hosted in a completely different domain than the API.
@@themsaid so until I have this XSRF-TOKEN in Cookie and is valid, I don't have to send request for a new token (/sanctum/csrf-cookie)? In my project all GET requests also has this token in response.
I have a question, can we use this cookie-based SPA authentication feature of Sanctum with a Nuxt SSR? Edit: I mean are there any caveats? Or would it be as same as Nuxt SPA?
@@themsaid Alright, no issues man. :) BTW if you like working in Vue then you should definitely checkout Nuxt. It gives a breeze of a development experience.
Some of us needed the complex version not an introduction. The topic is inherently complex. I think Mohamed does a great job at making the complex more digestible