[2.x] Added Multiple Provider Support

[RahulDey12]

So far Laravel Sanctum has not supported any multiple providers based auth guard. So I have added a function called hasValidProvider which accepts the tokenable model and then it matches if the tokenable_type model is an instanceof the provider type. if no provider defined it always returns true.

You need to add guards like this:

'guards' => [
        'web' => [
            'driver' => 'session',
            'provider' => 'users',
        ],

        'api' => [
            'driver' => 'sanctum',
            'provider' => 'users',
        ],

        'admin' => [
            'driver' => 'session',
            'provider' => 'admins',
        ],

        'admin-api' => [
            'driver' => 'sanctum',
            'provider' => 'admins',
        ],
    ],

And you can also use the guard sanctum as before it will work fine.

Note: If you want to use multi auth in SPA that case you should use session guards like auth:admin,admin-api

[KoenLav]

This PR seems to break our usage of "auth:sanctum" as a Guard for GraphQL calls (using Lighthouse).

Tried to pinpoint what's causing it, but haven't been able to find out.

We've downgraded to 2.3.3 and all is fine now.

[RahulDey12]

@KoenLav How ?

[itkarkkainen]

Just noticed the same problem as KoenLav. Confirmed by downgrading from 2.4.0 to 2.3.3. For unknown reason axios calls fail when auth:sanctum route guard is added.

Route::middleware('auth:sanctum')->group(function() { ... }

[ivand88]

This is exactly the thing I was looking for. I'd just wanted to add that in config/sanctum.php you should set:

'guard' => null

Otherwise in your session based SPA you could get response code 200 for the resources where you expect it to be 401.

[reza305z]

@ivand88 Or instead of using web guard, you can define a custom guard with session driver.

[ivand88]

@ivand88 Or instead of using web guard, you can define a custom guard with session driver.

It's not that simple. Please look at the source for the sanctum, and the whole discussion within this PR (Especially issue which mentions this PR #232).
If you add a custom guard in the sanctum config, you will still get a false 200 response code for some resources, when you don't actually expect it.
If needed, I can elaborate more.

[reza305z]

@ivand88 Or instead of using web guard, you can define a custom guard with session driver.

It's not that simple. Please look at the source for the sanctum, and the whole discussion within this PR (Especially issue which mentions this PR #232). If you add a custom guard in the sanctum config, you will still get a false 200 response code for some resources, when you don't actually expect it. If needed, I can elaborate more.

I'd be glad if you explain more.

[dietergeerts]

So far Laravel Sanctum has not supported any multiple providers based auth guard. So I have added a function called hasValidProvider which accepts the tokenable model and then it matches if the tokenable_type model is an instanceof the provider type. if no provider defined it always returns true.

You need to add guards like this:

'guards' => [
        'web' => [
            'driver' => 'session',
            'provider' => 'users',
        ],

        'api' => [
            'driver' => 'sanctum',
            'provider' => 'users',
        ],

        'admin' => [
            'driver' => 'session',
            'provider' => 'admins',
        ],

        'admin-api' => [
            'driver' => 'sanctum',
            'provider' => 'admins',
        ],
    ],

And you can also use the guard sanctum as before it will work fine.

Note: If you want to use multi auth in SPA that case you should use session guards like auth:admin,admin-api

Based on this, I was expecting to use something like

   Route::group(['middleware' => ['auth:admin-api']], function () {
    });

But that doesn't seem to work, because when I want to login with Auth::guard('admin-api)->login, I get errors that login` doesn't exist? Is there any more complete example of how this is supposed to work?

[RahulDey12]

login method does not exist in Sanctum Guard if you want to login any user please use the admin guard on SPA and refer this for token creation https://laravel.com/docs/10.x/sanctum#issuing-api-tokens

[dietergeerts]

login method does not exist in Sanctum Guard if you want to login any user please use the admin guard on SPA and refer this for token creation https://laravel.com/docs/10.x/sanctum#issuing-api-tokens

I was under the impression that sanctum could work with guards and session cookies, as that's stated in the docs, however, it seems that this is only possible for a single guard. As we have 2 portals in the same app, we need multiple guards. As part of our application is already using Laravel Passport, I switched to using API tokens with it. Thanks for the response.

[RahulDey12]

@dietergeerts It's actually possible with laravel you just need to call Auth::guard('admin')->login($admin) & Auth::guard('web')->login($user) accordingly

For the routing it is

Route::group(['middleware' => ['auth:admin-api,admin']], function () {
    //
});