Laravel 9 Auth issue on web and API on the same application
I'm trying to create authentication for web and API in the same Laravel application. But the network authentication is not working... When I remove it from the .env file, I have the SESSION_DOMAIN issue, then both the authentications are working fine, but when I keep it into the .env file, the network Authentication not working properly, receiving 419 | Page expired error.
APP_NAME=Laravel
APP_ENV=local
APP_KEY=base64:ZSiB/A6U0zU8Vn2x8gbNnU1prcw90xQBfqm3JS9qp+I=
APP_DEBUG=true
APP_URL=http://localhost
SANCTUM_STATEFUL_DOMAINS=localhost:3000
SESSION_DOMAIN=localhost
LOG_CHANNEL=stack
LOG_DEPRECATIONS_CHANNEL=null
LOG_LEVEL=debug
DB_CONNECTION=mysql
DB_HOST=localhost
DB_PORT=3306
DB_DATABASE=xpert_test
DB_USERNAME=root
DB_PASSWORD=
BROADCAST_DRIVER=log
CACHE_DRIVER=file
FILESYSTEM_DISK=local
QUEUE_CONNECTION=sync
SESSION_DRIVER=cookie
SESSION_LIFETIME=120
MEMCACHED_HOST=127.0.0.1
REDIS_HOST=127.0.0.1
REDIS_PASSWORD=null
REDIS_PORT=6379
MAIL_MAILER=smtp
MAIL_HOST=mailhog
MAIL_PORT=1025
MAIL_USERNAME=null
MAIL_PASSWORD=null
MAIL_ENCRYPTION=null
MAIL_FROM_ADDRESS="hello@example.com"
MAIL_FROM_NAME="${APP_NAME}"
AWS_ACCESS_KEY_ID=
AWS_SECRET_ACCESS_KEY=
AWS_DEFAULT_REGION=us-east-1
AWS_BUCKET=
AWS_USE_PATH_STYLE_ENDPOINT=false
PUSHER_APP_ID=
PUSHER_APP_KEY=
PUSHER_APP_SECRET=
PUSHER_APP_CLUSTER=mt1
MIX_PUSHER_APP_KEY="${PUSHER_APP_KEY}"
MIX_PUSHER_APP_CLUSTER="${PUSHER_APP_CLUSTER}"
This is my .env file code
<?php
namespace AppHttpControllersAPI;
use AppHttpControllersController;
use AppModelsUser;
use IlluminateHttpRequest;
use IlluminateSupportFacadesAuth;
use IlluminateSupportFacadesHash;
use IlluminateSupportFacadesValidator;
class UserController extends Controller {
// user registration
public function register(Request $request) {
$validator = Validator::make($request->all(), [
'name' => 'required|string|max:255',
'email' => 'required|string|email|unique:users,email',
'password' => 'required|string|min:6',
'cpassword' => 'required|string|min:6|same:password',
], [
'cpassword.same' => 'Password confirmation does not match.',
]);
if ($validator->fails()) {
return response()->json([
'success' => false,
'errors' => $validator->errors()
], 200);
}
$user = User::create([
'name' => $request->name,
'email' => $request->email,
'password' => Hash::make($request->password),
'role' => 0
]);
$request->session()->regenerate();
return response()->json([
'success' => true,
'user' => $user,
'token' => $user->createToken('API Token')->plainTextToken
], 200);
}
// user login
public function login(Request $request) {
$validator = Validator::make($request->all(), [
'email' => 'required|string|email',
'password' => 'required|string|min:5'
]);
if ($validator->fails()) {
return response()->json([
'validationError' => true,
'message' => $validator->errors()
], 200);
}
$creditentials = [
'email' => $request->email,
'password' => $request->password,
'role' => 0
];
if (!Auth::attempt($creditentials)) {
return response()->json([
'success' => false,
'message' => 'Invalid credentials'
], 200);
}
$user = User::where('email', $request->email)->first();
$request->session()->regenerate();
return response()->json([
'success' => true,
'user' => Auth::user(),
'token' => $user->createToken('API Token')->plainTextToken
], 200);
}
// user profile
public function profile() {
return response()->json([
'success' => true,
'user' => Auth::user()
], 200);
}
public function logout(Request $request) {
$request->user()->tokens()->delete();
$request->session()->invalidate();
$request->session()->regenerateToken();
return response()->json([
'success' => true,
'message' => 'User loggedOut successfully'
], 200);
}
}
This is my API authorization code
<?php
namespace AppHttpControllers;
use AppModelsProduct;
use AppModelsQuestion;
use AppModelsSection;
use AppModelsTest;
use IlluminateHttpRequest;
class AuthController extends Controller {
// view login page
public function index() {
return view('index');
}
// view dashboard page
public function adminDashboard() {
$products_count = Product::count();
$sections_count = Section::count();
$tests_count = Test::count();
$questions_count = Question::count();
return view('admin.dashboard', [
'products_count' => $products_count,
'sections_count' => $sections_count,
'tests_count' => $tests_count,
'questions_count' => $questions_count,
]);
}
// handle admin login
public function adminLogin(Request $request) {
$request->validate([
'email' => 'required|email',
'password' => 'required|max:50|min:5'
]);
$credentials = $request->only(['email', 'password']);
if (auth()->attempt($credentials)) {
$request->session()->regenerate();
if (auth()->user()->role === 1) {
return redirect()->route('admin.dashboard');
}
// else {
// return redirect()->route('super.dashboard');
// }
}
return redirect()->back()->withErrors(['message' => 'Invalid credentials']);
}
// handle admin logout
public function logout(Request $request) {
auth()->logout();
$request->session()->invalidate();
return redirect()->route('admin.login.page');
}
}
This is my network authentication code
Route::middleware('guest')->group(function () {
Route::get('/', [AuthController::class, 'index'])->name('admin.login.page');
Route::post('/admin-login', [AuthController::class, 'adminLogin'])->name('admin.login');
});
Route::middleware('auth')->group(function () {
Route::get('/logout', [AuthController::class, 'logout'])->name('logout');
Route::get('/dashboard', [AuthController::class, 'adminDashboard'])->name('admin.dashboard');
});
This is my web.php routing file
Route::prefix('v1')->group(function () {
// unprotected routes
Route::post('/login', [UserController::class, 'login']);
Route::post('/register', [UserController::class, 'register']);
// protected routes
Route::middleware(['auth:sanctum'])->group(function () {
Route::get('/profile', [UserController::class, 'profile']);
Route::post('/logout', [UserController::class, 'logout']);
});
});
This is the api.php file code
