use laravel jwt authentication only for api without affecting web

Question

I have an issue with authentication in laravel web, I only what to use the JWT authentication for the api only, I notice whenever I change guard in defaults to web 'guard' => 'web' and I try to login with postman using my api it will not work and this error show("message": "Method Illuminate\Auth\SessionGuard::factory does not exist.") but the web will work, if I change it to 'guard' => 'api' I will not be able to login in the web but the api postman login will work.

Only web will work

'defaults' => [
    'guard' => 'web',
    'passwords' => 'users',
],
'guards' => [
    'web' => [
        'driver' => 'session',
        'provider' => 'users',
    ],
    'api' => [
        'driver' => 'jwt',
        'provider' => 'users',
    ],
],

Only api will work

'defaults' => [
    'guard' => 'api',
    'passwords' => 'users',
],
'guards' => [
    'web' => [
        'driver' => 'session',
        'provider' => 'users',
    ],
    'api' => [
        'driver' => 'jwt',
        'provider' => 'users',
    ],
],

Route

Route::group([
    'prefix' => 'auth'
], function () {
    Route::post('login', [AuthController::class, 'login']);
    Route::post('logout', [AuthController::class, 'logout']);
    Route::post('refresh', [AuthController::class, 'refresh']);
    Route::post('me', [AuthController::class, 'me']);
});

Controller

class AuthController extends Controller
{

    public function __construct()
    {
        $this->middleware('auth:api', ['except' => ['login']]);
    }


    public function login(Request $request)
    {
        $credentials = $request->only('email', 'password');

        if ($token = $this->guard()->attempt($credentials)) {
            return $this->respondWithToken($token);
        }

        return response()->json(['error' => 'Unauthorized'], 401);
    }


    public function me()
    {
        return response()->json($this->guard()->user());
    }


    public function logout()
    {
        $this->guard()->logout();

        return response()->json(['message' => 'Successfully logged out']);
    }


    public function refresh()
    {
        return $this->respondWithToken($this->guard()->refresh());
    }


    protected function respondWithToken($token)
    {
        return response()->json([
            'access_token' => $token,
            'token_type' => 'bearer',
            'expires_in' => $this->guard()->factory()->getTTL() * 60
        ]);
    }

    public function guard()
    {
        return Auth::guard();
    }
}

I just want to use JWT authentication for only the api without affecting the web, Thanks

score 0 · Answer 1 · answered Mar 29 '22 at 10:10

0

What defaults.guard config does is setting the default guard to be used if none specified.

If you want 2 different authentication methods and guards you should specify each by name in your middlewares.

So instead of Route::middleware('auth')->get(...);
you should write Route::middleware('auth:api')->get(...);

If you want to protect all routes in a group you can do it in app/Http/Kernel.php by adding this lines:

protected $middlewareGroups = [
    'web' => [
        ...
        'auth:web'
    ],
    'api' => [
        ...
        'auth:api'
    ],
];

answered Mar 29 '22 at 10:10

HubertNNN

1,727
1
14
29

Hi @HubertNNN thank for your response but am I changing this `Route::middleware('auth:api')->get(...)` in my route, cause the auth in my route is prefix `'prefix' => 'auth'` see my code above – delle Mar 29 '22 at 11:06
You have `'except' => ['login']` in your middleware setting and then in that controller you have `$this->guard()->attempt($credentials)`. that `guard()` function will give you the default guard (web), you should change that to `guard('api')` so you would get `Auth::guard('api')` – HubertNNN Mar 29 '22 at 11:39
Just to be sure I should change `$token = $this->guard()->attempt($credentials))` to `$token = $this->guard('api')->attempt($credentials))` in the controller – delle Mar 29 '22 at 12:09
Still did not work – delle Mar 29 '22 at 18:28

score 0 · Answer 2 · answered Mar 29 '22 at 10:10

you can use this

'defaults' => [
    'guard' => 'web',
    'passwords' => 'users',
],

and in controller where you need api guard use this

auth('api')

for example in login controller

 public function login(Request $request)
    {
        $validator = Validator::make($request->all(), [
            'email' => 'required|email',
            'password' => 'required|string|min:6',
        ]);

        if ($validator->fails()) {
            return response()->json($validator->errors(), 422);
        }

        if (!$token = auth('api')->attempt($validator->validated())) {
            return response()->json(['error' => 'Unauthorized'], 401);
        }

        $token = auth('api')->claims(['user' =>  auth('api')->user()])->attempt($validator->validated());
        return $this->createNewToken($token);

  
    }

Hi @Mohammad Reza thanks for your respond but still did not work getting, Look at my login code in my AuthController above, I change `$token = $this->guard()->attempt($credentials)` to `$token = $this->auth('api')->attempt($credentials)` — delle, Mar 29 '22 at 10:55

score 0 · Answer 3 · answered Mar 30 '22 at 01:31

i use this controller and works for me

class UserController extends Controller
{
    public function __construct()
    {
        $this->middleware('auth:api', ['except' => ['login', 'register']]);
    }

    /**
     * Get a JWT via given credentials.
     *
     * @return \Illuminate\Http\JsonResponse
     */
    public function login(Request $request)
    {
        $validator = Validator::make($request->all(), [
            'email' => 'required|email',
            'password' => 'required|string|min:6',
        ]);

        if ($validator->fails()) {
            return response()->json($validator->errors(), 422);
        }

        if (!$token = auth('api')->attempt($validator->validated())) {
            return response()->json(['error' => 'Unauthorized'], 401);
        }

        $token = auth('api')->claims(['user' => auth('api')->user()])->attempt($validator->validated());
        return $this->createNewToken($token);

        // return response()->json([
        //     'token' => $this->createNewToken($token),
        // ]);
    }

    /**
     * Register a User.
     *
     * @return \Illuminate\Http\JsonResponse
     */
    public function register(Request $request)
    {
        $validator = Validator::make($request->all(), [
            'name' => 'required|string|between:2,100',
            'email' => 'required|string|email|max:100|unique:users',
            'password' => 'required|string|confirmed|min:6',
        ]);

        if ($validator->fails()) {
            return response()->json($validator->errors()->toJson(), 400);
        }

        $user = User::create(array_merge(
            $validator->validated(),
            ['password' => bcrypt($request->password)]
        ));

        return response()->json([
            'message' => 'User successfully registered',
            'user' => $user,
        ], 201);
    }


    /**
     * Log the user out (Invalidate the token).
     *
     * @return \Illuminate\Http\JsonResponse
     */
    public function logout()
    {
        Auth::logout();
        return response()->json(['message' => 'User successfully signed out']);
    }

    /**
     * Refresh a token.
     *
     * @return \Illuminate\Http\JsonResponse
     */
    public function refresh()
    {
        return $this->createNewToken(auth::refresh());
    }

    /**
     * Get the authenticated User.
     *
     * @return \Illuminate\Http\JsonResponse
     */
    public function userProfile()
    {
        return response()->json(auth::user());
    }

    /**
     * Get the token array structure.
     *
     * @param  string $token
     *
     * @return \Illuminate\Http\JsonResponse
     */
    protected function createNewToken($token)
    {
        return response()->json([
            'access_token' => $token,
            'token_type' => 'bearer',
            'expires_in' => auth('api')->factory()->getTTL() * 60,
            'user' => auth('api')->user(),
        ]);
    }
}

and routes

Route::prefix('user')->middleware('api')->group(function () {
    Route::post('/login', [UserController::class, 'login']);
    Route::post('/logout', [UserController::class, 'logout']);
    Route::post('/refresh', [UserController::class, 'refresh']);
    Route::get('/user-profile', [UserController::class, 'userProfile']);
    Route::post('/register', [UserController::class, 'register']);
});

use laravel jwt authentication only for api without affecting web

3 Answers3