I'm testing an API with a token guard. When I make a request (
this->getJson()), I provide the api token as a Bearer token in the
Authorization header. Subsequent requests without the header also pass as authorized.
Isn't token authorization meant to be stateless? Even
$this->flushHeaders() does not change the behavior. From a request without
Authorization header I would expect to return a 401, not a 200. But it seems like the header on the first request is "re-used".
Could anybody please explain this behavior? Am I getting something wrong here?