0

I am adding a custom authentication system via guards , models and providers.

After trying to read some documentation and articles, I am bit confused about the different way of invoking guards and middleware

Question 1: So, if I want to invoke (default) authentication in a particular route (as defined in auth.php as "default => [ 'guard' => 'web' ... , is it 'middleware' => ['auth']] Does this mean the default auth ? Or the middleware "auth" - which is included in the Kernel.php as below

protected $routeMiddleware = [ 'auth' => \App\Http\Middleware\Authenticate::class,

if i want the default auth as defined in "web" of config/auth.php should it be 'middleware' => ['auth']] or 'middleware' => ['web']] or 'middleware' => ['auth:web']]

Question 2: Now there is a middleware group called "web" which has useful things like StartSession, EncryptCookies, CSRF Protection, - so if I have a custom guard "abcguard" - is session management, cookie encryption done through some mechanism or I should explicitly add that middleware "web" in my routes /route-group?

Question 3: what if I have a custom guard called "abcguard" defined in auth.php as such and I have a middleware group called abcguard (just for illustration purpose) -- how do I make sure that that a route dashboard is available after the abcguard authentication and passing though middleware abcguard

Is this the right way? 'middleware' => ['auth:abcguard', abcguard]]

How does Laravel know which one is authentication and which one is just a middleware? Or is "guard" just a name for another middleware - the only specific behaviour is that a guard determines how users are authenticated and a middleware might just check if an user is authenticated?

Q4 - In the statement below, how does laravel find out which abcguard is a guard and which is a middlewar group? 'middleware' => ['auth:abcguard', abcguard]]

Rob
  • 14,746
  • 28
  • 47
  • 65
Asif
  • 35
  • 1
  • 8

1 Answers1

2

  1. First, you seem to confuse web middleware group (defined in Kernel) with web guard (authentication mechanism using session) for auth middleware, and they are even not related TBH. Guard is used to authenticate users, and middleware group just holds different middlewares for your web routes. If in your auth.php config, you have default guard web, the 'middleware' => 'auth' will end up using web guard. In case you want to use other guard, you will need to use 'middleware' => 'auth:other_guard'

  2. Again, web middleware group only holds middlewares for ALL of your web routes. You should not add auth to all of them, for sure.

  3. The right way will be 'middleware' => ['auth:abcguard', 'abcguard'], yea. In this case, you have auth middleware using abcguard guard and abcguard middleware group.

  4. When you write auth:abcguard you are calling auth middleware and passing abcguard as argument to it's handle function. Same if it was web - default session guard, or api - default auth token, or sanctum - sanctum's session cookie. Middleware groups are defined in your App\Http\Kernel::class. In case you have abcguard middleware group there, you will be using all middlewares defined in that group.

PunyFlash
  • 1,030
  • 1
  • 6
  • 12
  • So for #4, If I want to use my own defined "abcguard" guard from auth.php and my defined "abcguard" middleware group from Kernel.php from my route what is the right syntax for a route group? Route::group(['middleware' => ['auth:abcguard','abcguard]], ..... ? – Asif Apr 30 '22 at 13:55
  • yes, that's right – PunyFlash Apr 30 '22 at 13:57
  • So for a Route group, I want to use the "auth" middleware from the Kernel.php what is the syntax --> Route::group(['middleware' => ['auth']],,,,? How does laravel know I am trying to invoke the middleware "auth" from Kernel.php and not the "web" auth from auth.php ? – Asif Apr 30 '22 at 13:57
  • So from the official documentation -- https://laravel.com/docs/8.x/authentication#protecting-routes --- I see to protect my routes, I should do this ---> Route::get('/flights', function () { // Only authenticated users may access this route... })->middleware('auth'); --- my question is which "auth" is this -- the "auth" defined in Kernel.php routeMiddleware = [''auth' => \App\Http\Middleware\Authenticate::class, ]... or the default web auth in config/auth.php – Asif Apr 30 '22 at 14:01
  • `auth` middleware registered in your Kernel as well in `$routeMiddleware` array. It's basically binds class descriptor to `auth` keyword, that's all. Default guard for `auth` middleware is set on `auth.php` config. In case you are not passing any guard as argument, you will use default guard. – PunyFlash Apr 30 '22 at 14:03
  • Yes, you get it all right – PunyFlash Apr 30 '22 at 14:09
  • What will be the middleware name for admin guard if one is using sanctum for authenticating SPA ? 1) 'middleware' => 'auth:sanctum,admin' -> this doesn't work user tries to access admin routes. 2) 'middleware' => ['auth:sanctum', 'auth:admin'] -> but this works when user tries to access admin routes, so is second one best practice to follow ? – Kaustubh Bagwe Aug 16 '22 at 07:48