When using $this->middleware('auth:auth') the user token can be passed as query string, request payload or bearer token: https://laravel.com/docs/5.8/api-authentication#passing-tokens-in-requests
I want to only allow authentication by bearer token. This means I don't want to allow authentication by query string or post request.
I tried to solve it by adding a middleware which just removes the api_token
public function handle($request, Closure $next)
{
$request->request->set('api_token', null);
return $next($request);
}
but no matter what I do
Route::group(['middleware' => ['auth:api', 'remove-api-token'],
or
Route::group(['middleware' => ['remove-api-token', 'auth:api'],
will always trigger auth:api first. So my approach does not work.
Any ideas how to deny GET/POST authentication for auth:api only?
via Chebli Mohamed
Aucun commentaire:
Enregistrer un commentaire