Laravel using web authentication in all api routes redirect to home

问题

i want to use web authentication for all api routes. I created middleware and this is how it looks like

Route::group(['middleware' => ['auth:web'], 'prefix' => 'v1',], function ($router) {
   Route::apiResource('subscriptions', 'Api\SubscriptionController');
   Route::post('subscriptions/{id}/resend', 'Api\SubscriptionController@resend')->name('resend');
   Route::post('subscriptions/{id}/grace', 'Api\SubscriptionController@addGrace')->name('grace');
   Route::apiResource('accounts', 'Api\SocialMediaAccountController');
   Route::post('accounts/{id}/reset', 'Api\SocialMediaAccountController@reset');
Route::apiResource('customers', 'Api\CustomerController');
});

When i am already logged in and i try to make request to api route, it redirect me to the home page. How can i fix this ?

Here is the config/auth.php

 'defaults' => [
    'guard' => 'web',
    'passwords' => 'users',
],
'guards' => [
    'web' => [
        'driver' => 'session',
        'provider' => 'users',
    ],

    'api' => [
        'driver' => 'passport',
        'provider' => 'users',
    ],
],
'providers' => [
    'users' => [
        'driver' => 'eloquent',
        'model' => App\User::class,
    ],

    // 'users' => [
    //     'driver' => 'database',
    //     'table' => 'users',
    // ],
],

I don't want api routes to be redirected if i am already logged in. I just want to do web authorization and continue with same request.

回答1:

There are quite a few differences between web and api routes in Laravel. The biggest difference being the middleware included by default.

You can see the differences between the middleware groups in app/Http/Kernel.php:

protected $middlewareGroups = [
    'web' => [
        \App\Http\Middleware\EncryptCookies::class,
        \Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse::class,
        \Illuminate\Session\Middleware\StartSession::class,
        \Illuminate\Session\Middleware\AuthenticateSession::class,
        \Illuminate\View\Middleware\ShareErrorsFromSession::class,
        \App\Http\Middleware\VerifyCsrfToken::class,
        \Illuminate\Routing\Middleware\SubstituteBindings::class,
    ],

    'api' => [
        'throttle:60,1',
        'bindings',
    ],

APIs are supposed to be stateless so cookies and sessions are not set up. Since the api routes do not start the session, you won't have your authenticated session available.

You could set your routes to use the 'web' group, or see about consuming your own API via Javascript: https://laravel.com/docs/5.6/passport#consuming-your-api-with-javascript.

回答2:

Just two updates to restrict your api routes to require your web auth session to make api requests.

1. Update middleware from api to web.

# File: app/Providers/RouteServiceProvider.php

protected function mapApiRoutes()
    {
        Route::prefix('api')
             ->middleware('web') # <-- CHANGE to 'web'
             ->namespace($this->namespace."\\API")
             ->group(base_path('routes/api.php'));

    }

2. Update middleware from auth:api to auth:web (or simply auth)

# routes/api.php
Route::middleware('auth:web')->get('/user', function (Request $request) {
     return $request->user();
});

来源：https://stackoverflow.com/questions/52166907/laravel-using-web-authentication-in-all-api-routes-redirect-to-home