How to authenticate user without auth:api middleware in laravel 5.3?
You can pass the guard to your method to check if the user is logged in with a particular guard.
$request->user('api');
EDIT
I just want to extend my original answer.
Using $request->user()
is exactly the same as using \Auth::user()
.
When you retrieve the authenticated user, Laravel will default the guard from your config file auth.defaults.guard
(web
in a fresh install).
So when you called $request->user()
it was actually $request->user('web')
.
When you use auth:api
, Laravel will then use the api
guard as the default.
That's why it worked when using auth:api
but didn't when using default guard.
To solve your issue, you can either call $request->user('api')
if you have an Illuminate\Http\Request
instance or directly \Auth::guard('api')->user()
using the Auth
facade.
You are using auth:api
so I assume you are talking JSON request. Access token usually sits in the header of your request, so you can just check it like this
public function timeline(Request $request) {
if ( $request->has('access_token') || $request->header('access_token') ) {
$user = Auth::guard('api')->user();
}
...
}
I don't have the time to dig in the code, but you can look at the auth:api middleware. There you will find how the authentication process works. If you haven't found a thing let me know and I'll look into it tonight and improve my answer.
In the file Laravel\Passport\Http\Middleware\CheckClientCredentials
you will find this:
<?php
namespace Laravel\Passport\Http\Middleware;
use Closure;
use League\OAuth2\Server\ResourceServer;
use Illuminate\Auth\AuthenticationException;
use League\OAuth2\Server\Exception\OAuthServerException;
use Symfony\Bridge\PsrHttpMessage\Factory\DiactorosFactory;
class CheckClientCredentials
{
/**
* The Resource Server instance.
*
* @var ResourceServer
*/
private $server;
/**
* Create a new middleware instance.
*
* @param ResourceServer $server
* @return void
*/
public function __construct(ResourceServer $server)
{
$this->server = $server;
}
/**
* Handle an incoming request.
*
* @param \Illuminate\Http\Request $request
* @param \Closure $next
* @return mixed
*
* @throws \Illuminate\Auth\AuthenticationException
*/
public function handle($request, Closure $next, ...$scopes)
{
$psr = (new DiactorosFactory)->createRequest($request);
try{
$psr = $this->server->validateAuthenticatedRequest($psr);
} catch (OAuthServerException $e) {
throw new AuthenticationException;
}
foreach ($scopes as $scope) {
if (!in_array($scope,$psr->getAttribute('oauth_scopes'))) {
throw new AuthenticationException;
}
}
return $next($request);
}
}
When you dig deeper you will see that the request gets validated here League\OAuth2\Server\RecourceServer.php
. My guess is that you will find your answer there