Laravel Sanctum - Hitting all the rough edges
HTML-код
- Опубликовано: 9 апр 2020
- In this video I'm going to use Laravel Sanctum to authenticate requests to an API using session-based and token-based authentication. While doing so, I'm going show you all the possible errors that you might get and how to fix them.
Наука
This is one of a kind of a video. Usually we don't really get to see such tutorials where one touches all the points about a technology in this details. Thank you Mohamed.
Glad you found it useful :) Your comment means a lot
The best video about Laravel Sanctum I've seen.
Finally I can send request from different domain
Yet another great video! looking forward to the token cookie video you hinted at 😇
I like your style of making the HTTP calls from the console.
Excellent explanation 👏👏👏
Amazing video Mohamed! Would love to pay for more videos with this technical walkthough
Glad you find my content useful :)
Amazing, I was so confused شكرا محمد بارك الله فيك
excellent ! one question: if im using standard laravel authentication, is the @csrf directive enough instead of getting cookie through 'sanctum/csrf-cookie' for consuming routes protected by sanctum middleware? thanks
Great video, thanks Mohamed! Could the session based authentication be tested in Postman or netlify somehow?
Heya, thanks for your series on multi-tenancy within Laravel - extremely useful and very well explained. I was wondering do you have any advice in using Sanctum with multiple tenants? I am aiming to use it towards two separate auth flows for both Admin and User tables, but finding it a bit confusing as to where the personal access tokens should be stored. Open to better solutions if had anyway.
Any guidance would be awesome - thanks again!
Does Sanctum allow wild card subdomain for the session? I can't get it to work.
Awesome one
Hii
What kind of multi auth is better? User model and role model combo or each user role as it's own model? Pls make a video if possible.
great work.will be waiting to your video on how to securely store token on a cookie.
If your frontend runs on the same root domain as your API you don't need to use tokens at all. Use the good old cookie-session approach.
Mohamed Said Normally in our apps, the JavaScript app resides on app.domain.com and the API on api.domain.com, what would be the suggested way?
I have mine setup like this, but Auth::logout() throws "Method Illuminate\Auth\RequestGuard::logout does not exist." on POST to /api/logout and also my Login unit test throws "Session store not set on request." on POST to /api/login. I am using the default Laravel AuthenticatesUsers trait. Both those routes point to the AuthenticatesUsers trait.
I can fix the unit test error by adding this middleware to the 'api' middleware group in Kernel.php: \Illuminate\Session\Middleware\StartSession::class,
But I can't find any information on the internet about why RequestGuard::logout doesn't exist.
Bonus update: I can fix the logout error by removing the logout route (ie: Route::post('logout', 'Auth\LoginController@logout')->name('logout'); ) from the group with "auth:sanctum" middleware, and placing it by itself. I have no way to validate if this is correct. The logout route seems like something the docs should show in the minimal example code.
Bonus update update: I just noticed everything still works in my repo if I move the login route into my guest middleware group (which has LoginController's middleware except logout), so it means that Sanctum is intended to be used with Auth::routes() in the web.php file's root closure. I am almost certain I am about to make a change of this nature and it may alleviate the session store problem because I have everything in api.php currently.
Hi Mohamed!... this work for me exacticly like you show us, but when I set https(certbot in nginx) for both, app and api, don't work any more, always throw cors error... please help!
Great tuts Mohamed, if im going to use a SPA that fetch data from API that implements Oauth2, what do u think is the best way to secure the token, should i shorten the expiration for like half an hour and force the user to login, and obtain new token ! is that secure enough!
You could do that but the UX will suck, no one likes to keep logging in again and again. Honestly I don't think there's a secure way to store a token when the frontend is hosted in a completely different domain than the API.
Hi Mohamed Said your videos are very informative and I'd say it's premium videos, thank you so much. I have question regarding on laravel passport client generated access token.
It seems the access token generated once login is too 'long' and when I checked it from the database, the generated token it's seems did'nt match. Is there a possibility to find the generated access token from database(generated token after login)?. We love to hear from you or watch another video breaking down whats behind the scene of laravel passport :)
Thank you
I followed your step. but still getting 401 in my end. if im using it in cpnael shared host. but in my localhost its working
Is it required to get a new CSRF-TOKEN from /sanctum/csrf-cookie endpoint before each POST request? Or just before trying to log in?
No, just before you log in.
@@themsaid so until I have this XSRF-TOKEN in Cookie and is valid, I don't have to send request for a new token (/sanctum/csrf-cookie)? In my project all GET requests also has this token in response.
@@alexios4392 Yes you don't need to have it in future request. Just this one time. Unless the session expires.
@@themsaid Is it possible to use CSRF_Token from meta tag instead and add him to Axios credentials?
sactum is working on local host , but on production after successfull login it its not able to get user ,I get the user unauthenticated
awesome!
I have a question, can we use this cookie-based SPA authentication feature of Sanctum with a Nuxt SSR?
Edit: I mean are there any caveats? Or would it be as same as Nuxt SPA?
I have no experience with Nuxt so not sure how it works :)
@@themsaid Alright, no issues man. :)
BTW if you like working in Vue then you should definitely checkout Nuxt. It gives a breeze of a development experience.
@@pratikrane149 I will check it out at some point. Taking a frontend break at the moment :)
@@themsaid Oh yes sure. We anyways need more insights on back-end from a person like you. :)
this is super . keep it up (Y)
How to add prefix in default /login & /register api in laravel sanctum ?
Ex. Default api are /login & /register
I want /api/login & /api/register
How to achieve this?
Also in /user api i am getting many fields like id,name,email,created_date
I just want name and email id
How to do that?
How to do spa multi auth using Laravel Sanctum ?
What do you mean by multi auth?
@@themsaid Different user and admin dashboard
07:35 Anyone thinking where did createToken method on User Model come from?
You have to add this trait on user model "Laravel\Sanctum\HasApiTokens"
Yes yo have to add the trait indeed. Thanks for pointing this out.
Awesome
Voila. :)
I am first 😊
But I was first to like. :-)
Very complicated... Wish it was Jeffrey
There's a really good video on Laracasts by Andre Madrang that you can check laracasts.com/series/whats-new-in-laravel-7/episodes/6
Thank you Said. Will check it out. 🙏
Some of us needed the complex version not an introduction. The topic is inherently complex. I think Mohamed does a great job at making the complex more digestible
Brian Dillingham I understand, I didn’t mean to hurt him. I couldn’t follow along. May be it’s complicated to me.