mercredi 16 décembre 2020

How to only allow Bearer token in API authentication?

When using $this->middleware('auth:auth') the user token can be passed as query string, request payload or bearer token: https://laravel.com/docs/5.8/api-authentication#passing-tokens-in-requests

I want to only allow authentication by bearer token. This means I don't want to allow authentication by query string or post request.

I tried to solve it by adding a middleware which just removes the api_token

public function handle($request, Closure $next)
{
    $request->request->set('api_token', null);
    return $next($request);
}

but no matter what I do

Route::group(['middleware' => ['auth:api', 'remove-api-token'],

or

Route::group(['middleware' => ['remove-api-token', 'auth:api'],

will always trigger auth:api first. So my approach does not work.

Any ideas how to deny GET/POST authentication for auth:api only?



via Chebli Mohamed

Aucun commentaire:

Enregistrer un commentaire