0

I am working with Laravel Sanctum for the first time, especially with the API's. I had to create an API that is only for reporting that returns a JSON, the topic that I can't access by POSTMAN since it tells me "message": "Unauthenticated."

I followed the steps for the cofiguration that the documentation in my project told me.

I followed the steps for the cofiguration that the documentation told me in my project, which was to install sanctum, run the provider, create the token migration, reference in the user sanctum model and place HasApiTokens, at this point I don't know what to do anymore.

On one hand, the documentation tells me that I can access by placing this line token = $user->createToken('token-name'); but I don't know where to place it, because it won't have an interface since the purpose is to access through PowerBi

This is my route API

Route::group(['middleware'=> 'auth:sanctum'], function (){
    Route::get('/reports','Api\ReportController@getTicketsCotizados');
});

My Controller

    public function __construct()
    {
        $this->middleware('auth');
    }

    public function getTicketsCotizados(){

        $this->authorize('view ticket');

        $cotizados =Ticket::ticketWithLeadForStatus(3)->get();
        return response()->json($cotizados, 200);
    }

Kernel

'api' => [
            EnsureFrontendRequestsAreStateful::class,
            'throttle:60,1',
            \Illuminate\Routing\Middleware\SubstituteBindings::class,
        ],

User

use Laravel\Sanctum\HasApiTokens;

class User extends Authenticatable
{
    use Notifiable, UsesTenantConnection, HasApiTokens, HasRoles;
(...)
}

Guards

'api' => [
            'driver' => 'sanctum',
            'provider' => 'users',
            'hash' => false,
        ],

Postman enter image description here

Alex Valenzuela
  • 189
  • 2
  • 15

2 Answers2

0

That command is suposed to be made on the backend, it is used to create a token that is passed to the user, to use on future accesses.

I'm not well versed in security best pratices, but i think you need to create a login api route, outside sanctum that receives email and password and returns the token to further use.

In your case, you can use TINKER ( laravel's interactives shell ) to generate the token rapidly and just for test, just type the following in the command line at the root of your project:

php artisan tinker
$user = User::find([replace_with_user_accessing_api_id]);
$user->createToken('[replace_with_random_name]');

Now, you can get the plainTextToken and place in the Authorization Tab of Postman, under the Bearer Type.

Carlos Salles
  • 474
  • 2
  • 6
-1

If you read Laravel documentation here https://laravel.com/docs/8.x/sanctum it has a very clear example of generating an access token and making a request with it. Yes there is no clear example of making a request and it just refer to use bearer token because they assume you to be well versed with such things.

To avail versatile framework like Laravel to full you have to go through every page carefully about something and not missing any information or word they have written to help you with things.

Following the controller/routes part where you generate a token. They have written it to be used in a route but you can move it to a controller if you could follow laravel basics.

use App\Models\User;
use Illuminate\Http\Request;
use Illuminate\Support\Facades\Hash;
use Illuminate\Validation\ValidationException;

Route::post('/sanctum/token', function (Request $request) {
    $request->validate([
        'email' => 'required|email',
        'password' => 'required',
        'device_name' => 'required',
    ]);

    $user = User::where('email', $request->email)->first();

    if (! $user || ! Hash::check($request->password, $user->password)) {
        throw ValidationException::withMessages([
            'email' => ['The provided credentials are incorrect.'],
        ]);
    }

    return $user->createToken($request->device_name)->plainTextToken;
});

Remember that when a token is generated it is the only time you can view plain token for further usage. See plainTextToken in the code above. If you do not save this token you cannot use it.

Okay. I assume that you see and copy this token which looks like 123|p45xhFOkNFPXR7QhXjupWRffKDds2b7dpXDB0Vzz. In this token the 123 in the beginning is user id seperated by a pipe(|). You need to extract it to avail just the token which starts with p45 in this example.

In a real app you pass/return this token on to a login request from a mobile device or to front end and save it in a session or relevant data storage.

Next, to make further requests to routed areas/urls guarded by auth:sanctum you have to pass this token via Authorization header in form of bearer. See Setting authorization header in Fetch API for an example using fetch method. I am posting a picture showing how you could call it in postman.

enter image description here

If I make this request without setting Authorization header it would also return me

{
    "message": "Unauthenticated."
}

I hope I was clear enough.

Arvind K.
  • 1,184
  • 2
  • 13
  • 27