Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.
I am setting up a feature where a logged in user of my app can save an item to their favorites and view it. I wanted to setup a route that is protected against unauthorized users. When I test the code below with Insomnia, I get the login page as a response. The route works as intended without the middleware group.
Route::group(['middleware' => ['auth:sanctum']], function() { Route::prefix('/favorites')->group(function() { Route::get('/{id}', [FavoriteController::class, 'show']); }); });
Another question: Do I even need to protect the route if the favorites feature and dashboard are only accessible to signed in users anyway?
@pfigdev Of course you need to protect the route. Each HTTP request is completely separate. That endpoint can be hit outside of your dashboard.
If you want to test something then write an actual test, and not try and use a HTTP client like Insomnia.
@martinbean Thanks, I came to realize that as well. I haven't done a lot of testing with PHPUnit/PEST yet as I'm still a beginner with web development. I'll read up on how to implement a test for this scenario.
Are HTTP clients necessary at all if one is able to write thorough tests for their endpoints? I use Insomnia just to make sure I am getting the correct response / data from an endpoint.
Please or to participate in this conversation.