Using Auth::attempt() without password

Hey, I know you requested @bobbybouwmann, but I'll weigh in on this.

You should much rather look into overwriting the login method in your App\Http\Controllers\Auth\LoginController. Login actions are handled in there.

Just consider this:

// ...
    /**
     * Handle a login request to the application.
     *
     * @param  \Illuminate\Http\Request  $request
     * @return \Illuminate\Http\RedirectResponse|\Illuminate\Http\Response|\Illuminate\Http\JsonResponse
     *
     * @throws \Illuminate\Validation\ValidationException
     */
    public function login (Request $request) {
        return $this->sendLoginResponse($request);
    }
// ...

My friend @sebwas pushed you in the right direction :) I have nothing to add here ;)

I'm afraid it's not working because I'm making a rest API and I login users with token and phone_number. Cause it's stateless, I don't use login and auth controller for that. I use my own login method in UserController using these:

public function login(){
        if(Auth::attempt(['phone_number' => request('phone_number'), 'verification_code' => request('verification_code')])){
            $user = Auth::user();
            $success['token'] =  $user->createToken('App')->accessToken;
            return response()->json(['success' => $success], 200);
        }
        else{
            return response()->json(['error'=>'Unauthorised'], 401);
        }
    }

The validateCredentials method is not something you can simply override without doing a lot of black magic. So creating your own AuthProvider seems to be the right decision here.

Just curious! How are you going to build the login stuff without the password? Probably sending an email with some login token right? If that is the case you might not even need a new AuthProvider. Instead you need a controller that checks the login request with the generated token and that logs the user in right?

// Assuming the link in the email will be something like this
example.com/login?token=123y124ib1ku23bhj12b3h1212

// PasswordLessLoginController

public function login(Request $request)
{
    $token = $request->get('token');

    $loginRequest = LoginRequest::where('token', $token);

    Auth::loginUsingId($loginRequest->user_id)
}

So this assumes that when your user requests for a login request you create a new LoginRequest in the database and send an email with the token. You can then use the token to verify the user and log it in right? No need for a new AuthProvider

Note: This is a really basic example. Just generating a token might not be enough for security. Also make sure to took at expiring these tokens and so on.

I'm puzzled then

I'm making a rest API and I login users with token and phone_number. Cause it's stateless, I don't use login and auth controller for that.

Cause its stateless, users don't actually login ! Logging in requires state.

You need to look at Passport to issue the user with an authentication token once they validate their ID.

thank you all, here is my scenario : Users put their number in the app, I send the verification code to their mobile phone. then user put verification code in the app and I check that verification number with Database and then I log them in. So I want to use Auth driver to log them in.. NOTE:: and by login, I mean work with Auth and know who requested

Then just do what @bobbybouwmann showed and put your routes in web.php and not api.php, so that session middleware is used.

check this article https://laravel.com/docs/8.x/authentication#other-authentication-methods