5

How do I combine Passport authentication and normal laravel authentication?

I want the user to be logged in on pages of web-middleware and api-middleware. The login route is in api-middleware. Currently I have set up Passport authentication and it works fine for all api-middleware routes. How to make the user logged in in web-middleware as well?

Edit #1

What Im doing:

Login code

$http = new \GuzzleHttp\Client();

    try {
        $response = $http->post(config('services.passport.login_endpoint'), [
            'form_params' => [
                'grant_type' => 'password',
                'client_id' => config('services.passport.client_id'),
                'client_secret' => config('services.passport.client_secret'),
                'username' => $args['email'],
                'password' => $args['password']
            ]
        ]);

        $user = User::where('email', $args['email'])->first();

        Auth::guard('web')->login($user);
        return [
            "token" => $response->getBody()->getContents(),
            "user" => $user
        ];

    } // ...

Somewhere in some web-middleware route

return auth()->check() ? "logged in" : "not logged in";

returns "not logged in"

Improve this question
2
  • 1
    You should log in the user using the built in login then use the passport middleware to share the session with your API. Commented Mar 11, 2019 at 21:36
  • @jfadich Thanks I will take a look! Commented Mar 11, 2019 at 21:41

3 Answers 3

Reset to default
1

Ideally you shouldn't, as passport auth is for a separate app communicating to the API and laravel preshipped auth is for MVC, they are separate user sessions.

But assuming you know what you are doing, either call Auth::login($user); on user login via API, or generate the passport token when the user login through web middleware auth, whichever login happens first...

Remember Auth::login($user); creates a user session and sets cookies to refer to that session... So you create for yourself a new problem were on logout, there are two places to logout from... as technically the user is logged in twice, with passport token and with a cookie referring to his session...

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

@red1575 from where is $args getting it's values ? is this a command line script you are using for testing or is this called from a web request?
$args contains request data from GraphQL request
Auth::login($user); will create a session for the user then try to set cookies on the client that sends the request... is this the user browser or is this client an API that will just throw the cookies away? If this is a native app is it sharing cookies between all it's requests or is it creating a new HTTP client for each request with empty cookies...
I use this new GuzzleHttp client only to get data from the login endpoint. Then I send data back to user browser. So it should be sharing cookies between all its requests, right?
1

Actually I'm in a situation like you were. I have searched a lot about it. I always needed web authentication because of nature of my projects but in addition I started to develop projects with api backend soo late in comparing with web development world.

I'm a bit lazy so I generally use Laravel Passport and without working always out of the box, it does the job so in my opinion if you want just the functionality of access tokens for api security, put your user login authentication on web side and just authenticate the api endpoints with auth:api middleware in your api.php file.

I know that that's not the best practice but since it sounds that you are not developing a pure Laravel SPA then you can follow the route for Laravel Multipage application with Vue powered.

But believe me best way is to use either web authentication or api authentication not together then as the above answer says, you will have two authentication working at the same time which does not sound ok.

At the end, when you want to get the authenticated user on blade templates you will use

auth()->user()

but on the other hand in api controllers you should use

auth('api')->user()

which is nice to have but dangerouse to use.

Improve this answer

Comments

0

If you need to log an existing user instance into your application, you may call the login method with the user instance.

Auth::login($user);

You can also use the guard() method:

Auth::guard('web')->login($user);

See the documentation here for more information: https://laravel.com/docs/5.8/authentication#authenticating-users

Improve this answer

3 Comments

Thank you for the hints but this does not work. See my edit, maybe Im missing soemthing?
Try specifying the guard in the check, as well. This code is working for me: \Auth::guard('web')->login($user) and \Auth::guard('web')->check()
I did the same process, removed few fields from blade,passport and register controller but it does not works. Even error is not displayed. debug is true in env

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.