6 months ago

Subsequent tests to API with token guard do not require Auth header

Posted 6 months ago by michapietsch

I'm testing an API with a token guard. When I make a request (this->getJson()), I provide the api token as a Bearer token in the Authorization header. Subsequent requests without the header also pass as authorized.

Isn't token authorization meant to be stateless? Even $this->flushHeaders() does not change the behavior. From a request without Authorization header I would expect to return a 401, not a 200. But it seems like the header on the first request is "re-used".

Could anybody please explain this behavior? Am I getting something wrong here?

Please sign in or create an account to participate in this conversation.