I've configured Laravel Sanctum and everything is working with my SPA, however if a user create a token, they can inspect my website and call my internal SPA routes (which is not intended for their usage), what i have now is:
Route::middleware('auth:sanctum')->group(callback: function () {
Route::get('/user', function (Request $request) {
return new UserResource($request->user());
});
});
How can i prevent all users except my SPA to access this route?
After a bit of testing, when Sanctum authenticates UI requests, it sets session on the $request while when users call there is no session set for them.
I've created a middleware and gave it to my internal routes, here is the code:
class InternalApi
{
/**
* Handle an incoming request.
*
* @param \Illuminate\Http\Request $request
* @param \Closure $next
* @return mixed
*/
public function handle(Request $request, Closure $next)
{
if ($request->hasSession()) {
return $next($request);
} else {
return response()->json([], 401);
}
}
}
and my api.php looks like this now:
Route::middleware('auth:sanctum')->group(callback: function () {
Route::get('/user', function (Request $request) {
return new UserResource($request->user());
})->middleware('internal');
});
Update: As described in documentation, for SPA requests $request->user()->tokenCan() will return true no matter what, even if users doesn't have any abilities assigned.