search

laravel / sanctum

Laravel Sanctum provides a featherweight authentication system for SPAs and simple APIs.
https://laravel.com/docs/sanctum
MIT License
2.75k stars 296 forks source link

Unauthenticated or infinite loop #519

Closed payalord closed 4 months ago

payalord commented 4 months ago

Sanctum Version

v3.3.3

Laravel Version

v10.48.12

PHP Version

8.1.2-1ubuntu2.17

Database Driver & Version

MySQL 8.0.36-0ubuntu0.22.04.1

Description

I was following this page installation instructions: https://laravel.com/docs/10.x/sanctum

And I have problem even if bearer token is present sanctum doesn't authenticate the user by it and i'm getting 401. With message:

{
    "message": "Unauthenticated."
}

Steps To Reproduce

Steps that I did:

  1. composer require laravel/sanctum - which installed sanctum v3.3.3
  2. php artisan vendor:publish --provider="Laravel\Sanctum\SanctumServiceProvider"
  3. php artisan migrate
  4. I didn't add \Laravel\Sanctum\Http\Middleware\EnsureFrontendRequestsAreStateful::class to my api route middleware.
  5. I have added next code to routes/api.php to test it: 
    use Illuminate\Http\Request;
use Illuminate\Support\Facades\Route;
use Illuminate\Support\Facades\Log;
Route::middleware('auth:sanctum')->get('/data', function (Request $request) {
Log::info('API /data route accessed');
return response()->json(['data' => 'API Data']);
});
  6. I have added in config/auth.php an api guard: 
    'guards' => [
    'web' => [
        'driver' => 'session',
        'provider' => 'users',
    ],
    'api' => [
        'driver' => 'sanctum',
        'provider' => 'users',
        'hash' => false,
    ],
],

  7. I set in config/sanctum.php:

    /*
|--------------------------------------------------------------------------
| Sanctum Guards
|--------------------------------------------------------------------------
|
| This array contains the authentication guards that will be checked when
| Sanctum is trying to authenticate a request. If none of these guards
| are able to authenticate the request, Sanctum will use the bearer
| token that's present on an incoming request for authentication.
|
*/

'guard' => null,

Then I have created 1 token with sanctum createToken function $token = $user->createToken('API_TOKEN')->plainTextToken;. So the token exists in the table personal_access_token. My user model have trait HasApiToken by default from Laravel, i didn't touch it.

Then I made a request from postman to api/data endpoint and got 401 unauthorized error. In that request before I did it, I set Authorization Bearer to my created token and I set Accept application/json. I also tried to set Origin to localhost and to localhost:3000 (<-- where the site is served). In all cases I've got:

{
    "message": "Unauthenticated."
}

If I will set in config/sanctum.php guard to ['web','api'] i will get XDebug inifinite loop error. While in sanctum version 3.0.2 setting guard to ['web','api'] on laravel 9 in another project didn't had any inifinite loop errors and sanctum was working fine there. But with laravel 10 I can't downgrade to v3.0.2 since support of laravel 10 has been added in v3.2.0

crynobone commented 4 months ago

Hey there, thanks for reporting this issue.

We'll need more info and/or code to debug this further. Can you please create a repository with the command below, commit the code that reproduces the issue as one separate commit on the main/master branch and share the repository here?

Please make sure that you have the latest version of the Laravel installer in order to run this command. Please also make sure you have both Git & the GitHub CLI tool properly set up.

laravel new bug-report --github="--public"

Do not amend and create a separate commit with your custom changes. After you've posted the repository, we'll try to reproduce the issue.

Thanks!

driesvints commented 4 months ago

Hey there,

Unfortunately we don't support this version anymore. Please check out our support policy on which versions we are currently supporting. Can you please try to upgrade to the latest version and see if your problem persists? If so, please open up a new issue and we'll help you out.

Thanks!

payalord commented 4 months ago

Hi, I wanted to say sorry. I checked again and this was completely my mistake. First time, when I reported this issue here, I was using the token's hash directly from DB as token, instead of token returned by $user->createToken('API_TOKEN')->plainTextToken; I missed the point that in DB sanctum doesn't store the plain token, but stores it's hash instead.

So I think there is no problem with Sanctum. And thanks for your support guys anyway!