Laravel Sanctum auth:sanctum middleware with Angular SPA unauthenticated response

Gloire picture Gloire · Apr 11, 2020 · Viewed 9k times · Source

I have an application that has the following setup:

Laravel

Host: appname.local:8000

Environment variables:

  • SESSION_DRIVER=database
  • SESSION_LIFETIME=480
  • SESSION_CONNECTION=mysql
  • SESSION_DOMAIN=.appname.local
  • SESSION_SECURE_COOKIE=false
  • SESSION_COOKIE=appnameapi_session
  • SANCTUM_STATEFUL_DOMAINS='.appname.local,localhost,127.0.0.1'

Angular

Host: appname.local:4200

What works at the moment:

  • I can call Sanctum's csrf-cookie endpoint which sets the CSRF token in my browser.
  • I then can call my API's login endpoint to authenticate the user in my Laravel app using Auth::attempt(). This create a new entry in the sessions table as seen below

Angular methods to get token and authenticate user Angular methods to get token and login

Session database entry after successful authentication Session database entry after successful authentication

What does not work:

Subsequent requests to routes that are protected by the following middleware: auth:sanctum all result in unauthenticated responses. The HTTP requests never make it to my controllers.

auth:sanctum protected routes auth:sanctum protected routes

But I can see in the developer's console that the cookies are being sent. So I don't understand why Sanctum isn't picking up the auth enter image description here

I've followed several tutorials and I can't seem to understand why Laravel's Authenticate middleware is unable to see that I've already authenticated my user.

Does anyone know what I could be doing wrong?

Answer

Gloire picture Gloire · Jun 7, 2020

The answers provided by @agm1984 and @Eden Webstudio were quite useful. However, they did not solve my issue.

After additional debugging, I noticed that sanctum's guard logic looks for a guard in config/sanctum.php. Its default value is web. My default guard for the protected routes is the api guard which is the guard that I used during the authentication process. enter image description here

After setting the guard key in config/sanctum.php with 'api' the authentication seems to be working smoothly. To be honest, I can't remember why I decided to the session driver for my api guard.

config/sanctum.php config/sanctum.php

config/auth.php

config/auth.php