Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

CDSchultz's avatar

Laravel 5.8 Passport 7.4 Migrated App Auth/User Unauthenticated

I have a legacy app (Laravel 5.8, Passport 7.4, VueJS ) I am migrating to a new home. I brought the old database over and the same source code. Everything seems fine with the login, it returns the token which is then returned in the next call api/auth/user but keeps returning 401 Unauthorized when I can clearly see the token being passed is the same one that we returned by the login api. I have been through my Kernel.php tried reinstalling passport config:clear i am at a loss, the tokens have the default 1 year expiration. I've been down any rabbit hole i can but no luck, hopefully someone has some insight

#AuthController.php
<?php

namespace App\Http\Controllers;

use Illuminate\Http\Request;
use Illuminate\Support\Facades\Auth;
use Illuminate\Support\Facades\Validator;
use Eula, UserEula, Location, UserLocation, Common, Storage, User, MSO, ApiKeys;

class AuthController extends Controller
{
  public function login(Request $request)
  {
    $credentials = $request->only('email', 'password');

    if (Auth::guard('web')->attempt($credentials)) {
      $user = Auth::guard('web')->getLastAttempted();
      $location = Location::find($user->location_id);
      $userLocation = UserLocation::where('user_id', $user->user_id)
      ->where('location_id', $user->location_id)->exists();

      if ($user->active && $location->active && $userLocation) {
        $tokenResult = $user->createToken('Personal Access Token');
        $tokenResult->token->save();

        return response()->json(['status' => 'success'], 200)->header('Authorization', $tokenResult->accessToken);
      } else if (!Auth::user()->active) {
        $errorMsg = "User is inactive";
      } else if (!$location->active) {
        $errorMsg = "Location is inactive";
      } else if (!$userLocation) {
        $errorMsg = "User is inactive for location";
      }
    } else {
      $errorMsg = "Invalid login/password";
    }

    return response()->json(['error' => $errorMsg], 401);
  }

  public function logout()
  {
    Auth::guard('web')->logout();

    return response()->json([
      'status' => 'success',
    ], 200);
  }

  public function user()
  {
    $user = User::find(Auth::id());
    $currentEula = Eula::select('eula', 'eula_id')->orderBy('eula_id', 'desc')->first();
    $userEula = UserEula::where('eula_id', $currentEula->eula_id)->where('user_id', Auth::id());
    $location = Common::locationData($user->location_id);

    $msoLocations = Location::select('location_id as value', 'name as text', 'phone')
    ->where('active', 1)
    ->when(Auth::user()->mso_id === 0, function ($query) use ($user) {
      return $query->where('location_id', $user->location_id);
    }, function ($query) use ($user) {
      return $query->where('mso_id', $user->mso_id);
    })
    ->orderBy('name')
    ->get()
    ->toArray();

    $user->locations = Common::getUserLocations(Auth::id());

    $eula = [
      'current' => $currentEula->toArray(),
      'accepted' => $userEula->exists()
    ];

    return response()->json([
      'status' => 'success',
      'data' => [
        'user' => $user,
        'location' => $location,
        'eula' => $eula,
        'mso' => [
          'locations' => $msoLocations,
          'users' => Common::getUsers($user->mso_id)
        ]
      ]
    ]);
  }
}


#Kernel.php
<?php

namespace App\Http;

use Illuminate\Foundation\Http\Kernel as HttpKernel;

class Kernel extends HttpKernel
{
    /**
     * The application's global HTTP middleware stack.
     *
     * These middleware are run during every request to your application.
     *
     * @var array
     */
    protected $middleware = [
	    \App\Http\Middleware\preflight::class, 
        \App\Http\Middleware\CheckForMaintenanceMode::class,
        \Illuminate\Foundation\Http\Middleware\ValidatePostSize::class,
        \App\Http\Middleware\TrimStrings::class,
        \Illuminate\Foundation\Http\Middleware\ConvertEmptyStringsToNull::class,
        \App\Http\Middleware\TrustProxies::class,
    ];

    /**
     * The application's route middleware groups.
     *
     * @var array
     */
    protected $middlewareGroups = [
        'web' => [
            \App\Http\Middleware\EncryptCookies::class,
            \Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse::class,
            \Illuminate\Session\Middleware\StartSession::class,
            \Illuminate\View\Middleware\ShareErrorsFromSession::class,
            \App\Http\Middleware\VerifyCsrfToken::class,
            \Illuminate\Routing\Middleware\SubstituteBindings::class,
	        \Laravel\Passport\Http\Middleware\CreateFreshApiToken::class,
        ],

        'api' => [
            'throttle:60,1',
            'bindings',
        ]
    ];

    /**
     * The application's route middleware.
     *
     * These middleware may be assigned to groups or used individually.
     *
     * @var array
     */
    protected $routeMiddleware = [
        'auth' => \App\Http\Middleware\Authenticate::class,
        'auth.basic' => \Illuminate\Auth\Middleware\AuthenticateWithBasicAuth::class,
        'auth.key' => \App\Http\Middleware\AuthenticateWithAPIKey::class,
        'bindings' => \Illuminate\Routing\Middleware\SubstituteBindings::class,
        'cache.headers' => \Illuminate\Http\Middleware\SetCacheHeaders::class,
        'can' => \Illuminate\Auth\Middleware\Authorize::class,
        'guest' => \App\Http\Middleware\RedirectIfAuthenticated::class,
        'signed' => \Illuminate\Routing\Middleware\ValidateSignature::class,
        'throttle' => \Illuminate\Routing\Middleware\ThrottleRequests::class,
        'verified' => \Illuminate\Auth\Middleware\EnsureEmailIsVerified::class,
        'cors' => \App\Http\Middleware\Cors::class
    ];

    /**
     * The priority-sorted list of middleware.
     *
     * This forces non-global middleware to always be in the given order.
     *
     * @var array
     */
    protected $middlewarePriority = [
        \Illuminate\Session\Middleware\StartSession::class,
        \Illuminate\View\Middleware\ShareErrorsFromSession::class,
        \App\Http\Middleware\Authenticate::class,
        \Illuminate\Session\Middleware\AuthenticateSession::class,
        \Illuminate\Routing\Middleware\SubstituteBindings::class,
        \Illuminate\Auth\Middleware\Authorize::class,
    ];
}

#.htaccess in the public folder
<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /app/

    RewriteRule ^index\.php$ - [L]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /app/index.php [L]
    
    RewriteCond %{HTTP:Authorization} ^(.*)
    RewriteRule .* - [E=HTTP_AUTHORIZATION:%1]
</IfModule>

#route/api.php

//authentication api calls
Route::prefix('auth')->group(function() {
  Route::post('login', 'AuthController@login');

  Route::group(['middleware' => ['auth:api']], function(){
    Route::get('user', 'AuthController@user');
    Route::post('logout', 'AuthController@logout');
  });
});
0 likes
1 reply
CDSchultz's avatar

it was my .htaccess after posting it here i noticed the mistake

<IfModule mod_rewrite.c>
  Options +FollowSymLinks -Indexes

  RewriteEngine On
  RewriteBase /app/

  RewriteCond %{HTTP:Authorization} .
  RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]

  RewriteRule ^index\.php$ - [L]
  RewriteCond %{REQUEST_FILENAME} !-f
  RewriteCond %{REQUEST_FILENAME} !-d
  RewriteRule . /app/index.php [L]
</IfModule>

Please or to participate in this conversation.