Level 73
Take a look at Sanctum it should cover your needs https://laravel.com/docs/11.x/sanctum
Jul 5, 2024
13
Level 1
Protect routes in api routes file
Hello
I try to protect the routes in the API routes file. So that the route can only be accessed if a user is logged in.
Its a laravel, jetstream, inertia, vue3 app, and I make fetch requests which go to the API routes file, to load data to the frontend.
I try the following:
Route::post('/save-word', [ChapterController::class, 'saveWord'])->middleware('auth:sanctum')->name('save-word');
But even if I am loggen in, the request does not pass through.
Now, my question is, is it as easy as simply use auth.sanctum or is there other stuff I have to configure first. I thought that with inertia and jetstream everything should be pre-configured.
Anyone has a thought on this? Thanks in advance
Level 122
you cannot be 'logged in" with api routes.
you can send an authentication token with every request
Level 75
Are you correctly creating the token once the credentials are verified. And don't forget you also need token abilities. Otherwise are tokens stored, if so you assign the token for the user once the credentials are met.
Once issued, then the token is used.
Hard to tell why things aren't working in an app without seeing the whole app.
Edit:
I suggest some videos from here or youtube on sanctum usage. If youtube make sure it's reputable videos.
Level 1
Thanks very much for the replies.
@snapey sorry I have a hard time to understand the mechanics behind. I thought Inertia would account for the 'logged-In' state when making requests to API routes.
So basically I create a token upon login and save it in the session or DB, and then I would pass it to the front end and send it back to the backend with every request? Did I get the basic concept right?
The thing is I have inertia and jetstream installed, and I know a lot comes out of the box, and I don't want to re-develop stuff that already comes with it. @tray2 would sanctum still be the right place to look for that info?
Level 75
So basically I create a token upon login and save it in the session or DB, and then I would pass it to the front end and send it back to the backend with every request? Did I get the basic concept right?
No, an api is stateless no session. Again there are some good sanctum videos on youtube.
Also right here: https://laracasts.com/series/laravel-api-master-class
and I know a lot comes out of the box
Yes, but you have to setup token abilities.
Level 73
@DanielJohan Jetstream uses Sanctum behind the scenes.
Laravel Jetstream is a beautifully designed application starter kit for Laravel and provides the perfect starting point for your next Laravel application. Jetstream provides the implementation for your application's login, registration, email verification, two-factor authentication, session management, API via Laravel Sanctum, and optional team management features.
Level 3
I was working through the same issue on the same tech stack you described @danieljohan. Adding $middleware->statefulApi(); to the bootstrap/app.php file as described here worked for me:
https://laravel.com/docs/11.x/sanctum#sanctum-middleware
From my understanding, this method does not use tokens, but instead relies on Laravel's session cookies to authenticate the request.
1 like
Level 122
@easyeisme Why don't you just put your routes in the web.php file?
Level 3
@Snapey Yeah, you're right. Placing those routes within the routes/web.php would certainly work, and perhaps that's the easiest/best way to do it (IDK ... still learning a lot myself). In my mind, however, it seems logical to list the routes related to the views of my application within the web.php file, and list the routes related to API calls (to be consumed by my application and/or by third-parties) within the api.php file ... especially when considering the Laravel/Jetstream/Inertia/Vue3 app [that I have to assume is a SPA] that @danieljohan described.
Level 122
@easyeisme so create a separate routes file, using the same middleware stack as web.php but called ajax.php
1 like
Level 3
@Snapey Ahh, I see. So going back to your original comment (re: using web.php file), would you recommend placing routes that are intended as internal API endpoints for my application (e.g. data collection requests via AJAX) inside the web.php file rather than going through the "hassle" of configuring a another routes file for internal API calls? Perhaps prefixing all of my API routes in the web.php file with /ajax, for example?
Level 9
With Inertia, data is passed to the view from the controller. Form helper is used to send from the front end. It is a mistake to use API for requests inside the Laravel app.
Inertia is just replacing Blade with Vue or React. Other than that, usage is the same as regular Laravel.
Sanctum has two functions with different purposes, which confuses people.
API Token Authentication
The generally expected usage of API.
Stateless. No session. Authenticate with API token.
Use from outside the Laravel app. Do not use from the front end inside Laravel.
SPA Authentication
Stateful. Session authentication. Same as regular Laravel web guard. Can only be used between the same domain.
With Inertia, there is no need to use either. Since it runs on the same origin, web guard is normally active.
Level 1
@puklipo In my Laravel, Inertia, Vue3, Jetstream setup I am using axios to silently retrieve data from the backend. What would be the equivalent of that, if using inertia? With silently I mean without page reload, and without going through all the middleware tied to the web.php file.
Its been a while I decided to use axios, but I think when I used Inertia it would even trigger some unwanted behavior like a page reload.
So if Inertia has a function to load data "silently" to the frontend without page reload or other unnecessary behavior, that would be great.
Please or to participate in this conversation.