I know that api.php routes should really be stateless and so using cookies for auth isn't, theoretically, correct and RESTful, but bear with me, I'm being pragmatic.
I'm trying to use cookie/session auth for testing some API functionality. Let's strip it right back. I have:
Route::middleware('auth:api')->get('/user', function (Request $request) {
return $request->user();
});
in my default api.php routes file. When I visit https://myapp.com/api/user it fails to authenticate me and I get a redirect to /login.
This Route seems to have two lots of middleware applied. One is specifed in $middlewareGroups in Kernel.php and seems to be applied to anything in the api.php routes.
I've found out from elsewhere that I need to add EncryptCookies and StartSession to that to make the session work:
'api' => [
\App\Http\Middleware\EncryptCookies::class,
\Illuminate\Session\Middleware\StartSession::class,
'throttle:60,1',
'bindings',
],
The other set of middleware seems to be controlled by the auth:api string that is passed to Route::middleware()
Now, I THINK that this applies the guards listed in config/auth.php:
'guards' => [
'web' => [
'driver' => 'session',
'provider' => 'users',
],
'api' => [
'driver' => 'token',
'provider' => 'users',
],
],
So I've changed the API driver to session in here.
But I'm still getting the failed auth and redirect to /login.
If I change the auth:api string in the routes file to just auth then it works, but I want to track down why setting my api driver to session in the config doesn't also make this work.
Is there something else I have to do to change how the auth:api middleware is working?
