Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

EdTheDuck's avatar

Token Authentication for API Endpoints

Hi,

I am creating a rather simple API to feed data to a vue front-end in Laravel 6, and using token based authentication.

In my api routes file, I have the following test route:

Route::group(['middleware' => 'auth:api', 'prefix' => 'v1'], function()
{
    Route::get('/user', function(Request $request){
        return $request->user();
    });
});

In my Handler file, I have tried to overwrite the unauthenticated function as follows:

protected function unauthenticated($request, AuthenticationException $exception)
{
    return response()->json(['error' => 'Unauthenticated'], 401);
}

This works perfectly if the request accepts application/json (this function is called then) but if no accept is present in the request then I get a 500 error of "Route [login] not defined." ( I assume it's trying to do the redirect as if it was a regular web request).

Ideally, I'd rather my API didn't 500 if someone forgets to enter a correct accepts value. Does anyone know how I can get this function to be used regardless of the accepts value of the request?

0 likes
4 replies
Nakov's avatar
Nakov
6 years ago
Best Answer
Level 73

@edtheduck the default implementation of the unauthenticated method is this one:

protected function unauthenticated($request, AuthenticationException $exception)
{
        if ($request->expectsJson()) {
            return response()->json(['error' => 'Unauthenticated.'], 401);
        }

        return redirect()->guest('login');
}

Which means the check happens within the method if it is a JSON or not a JSON request. Now when you override it, it means that you always respond with JSON.

And from the overridden method you are not calling the parent class method in order to respond with a redirect to the login route.

So check if you've got the correct import for the exception:

use Illuminate\Auth\AuthenticationException;

And make sure that it hits this method. Or check where else you use route('login');

EdTheDuck's avatar

@nakov Thank you for the quick reply.

I thought that the expects check was done within the function, which is why I found it so strange that this function doesn't seem to trigger at all without the json accepts header (I confirmed this with a dd within the function).

I do indeed have the use for AuthenticationException, and I don't call the login route anywhere in my code (although I assume it is hardcoded somewhere within the Laravel codebase).

Nakov's avatar

@edtheduck I just added the unauthenticated method in my Handler, added the same route as you have.. Tried in my browser:

myurl.test/api/v1/user it returns JSON response even though the request is not JSON.

EdTheDuck's avatar

@nakov How strange. I will try and dig through my code and work out why mine is behaving differently then.

Thank you for the assistance.

Please or to participate in this conversation.