Sanctum api token authentication and auth()->user() / policies

Hello,

UPDATED => does Sanctum already handle all this ? if yes, is the Bearer token also automatically added via axios ? the answer is no, I don't see the Bearer token unless I add it manually from the frontend.

Application with Laravel / VueJS.

The authentication is handle via Sanctum for a SPA authentication.

But the SPA authentication needs that the front and the back are necessarily on the same top level domain : this is a constraint for my application.

So I need to change and use a simple Sanctum API token authentication which could work fine for me.

At the moment, all rights are handled via the policies applied to the different models, which need to access to the authenticated user. But if I use a token to access to the different API routes, there is no authentication, so how is it possible to access to the authenticated user ?

Some questions

• To keep handling the rights with the policies and use a token to access to the API, I have the idea to create a middleware which retrieves the Bearer token from the request, then find the user who has this token and authenticate him/her via Auth::login($user), but is it a good idea ?

• Is it better idea to handle all right via the token abilities ? is it possible this way to apply complex abilities to the tokens ? for example a user can update a model only if he has the operator role for this model ?

• Any other way to do that ?

Thanks for your help.

Vincent