I'll do my best to not to be wordy!
The existing site (running Laravel 5.3) uses cookie-based authentication with database-stored sessions. The current project is to create an app using Passport (password grant) authentication to consume an API.
Although I know APIs are typically session-less, some of the existing endpoints provide the same JSON data via AJAX that the API would require -- but rely heavily on session data. It would significantly reduce the workload if the API could use the same controllers, but this would require that an authenticated API request have a session.
I won't go though everything that I tried and failed, but what I have working makes me uncomfortable, mostly because I obviously am failing in my understanding of how the SessionManager handles multiple simultaneous drivers. What HAS worked is API middleware (after authentication middleware) that initializes an eloquent model for a database using the JWT token id in place of what would typically be a session cookie. I'm sure this is morally abhorrent, but it allows global session() use.
public function handle($request, Closure $next)
{
# initalize pre-request
$session = \App\Models\ApiSession::initSession( auth('api')->user() );
app()['session'] = $session;
$response = $next($request);
# post-request store
$session->save();
return $response;
}
I'd rather do it right if someone can provide some direction!
