1

I have a route which is as follows

Route::group(['middleware' => ['auth:api']], function(){
    
    Route::post('getList','SomeController@someAction')->name('logout'); 
});

when I call it without token, it fails which is expected behavior.

But when I call it having following code-base

Route::group(['middleware' => ['auth','api']], function(){

    Route::post('getList','SomeController@someAction')->name('logout'); 
});

without token, it does not fail and return required data.

What is difference between ['auth:api'] and ['auth','api'] ?

P.S : In both cases, I am sending Session-Cookie.

Improve this question

1 Answer 1

Reset to default
3

To answer your above question it is quite fundamental to understand laravel's basic authentication system and how middleware works.

In short auth is a middleware that is first defined in App\Http\Kernel and then api is the guard passed to the middleware. The api configuration can be found in config/auth.php

api is the middleware used for all api routes, this means those routes can't be accessed by using the in a url bar

In your Case

Route::group(['middleware' => ['auth:api']], function(){

       Route::post('getList','SomeController@someAction')->name('logout'); 
});

Means that you are loading authentication for API. Which means you will be authenticating your users based on token rather than user session. This way you will not be able to access sites using link url on your browser. So, firstly you defined you want to use authentication "auth" and then you declared that you want to use api guard on auth. API guard for auth is defined in config/auth.php

Next thing

Route::group(['middleware' => ['auth','api']], function(){

      Route::post('getList','SomeController@someAction')->name('logout'); 
});

On the above question you are grouping the middlewares based on their name you mentioned on HTTP/Kernel.php

['middleware' => ['auth','api']

This means that all your routes pass through middleware called auth and api.

So you probably have this in your HTTP/Kernal.php

 protected $middlewareGroups = [
    'web' => [
        \App\Http\Middleware\EncryptCookies::class,
        \Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse::class,
        \Illuminate\Session\Middleware\StartSession::class,
        \Illuminate\Session\Middleware\AuthenticateSession::class,
        \Illuminate\View\Middleware\ShareErrorsFromSession::class,
        \App\Http\Middleware\VerifyCsrfToken::class,
    ],

    'api' => [
        'throttle:60,1',
        'bindings',
    ],
];

/**
 * The application's route middleware.
 *
 * These middleware may be assigned to groups or used individually.
 *
 * @var array
 */
protected $routeMiddleware = [
    'auth' => \Illuminate\Auth\Middleware\Authenticate::class,
    'bindings' => \Illuminate\Routing\Middleware\SubstituteBindings::class,
    'can' => \Illuminate\Auth\Middleware\Authorize::class,
    'guest' => \App\Http\Middleware\RedirectIfAuthenticated::class,
    'throttle' => \Illuminate\Routing\Middleware\ThrottleRequests::class,
];

It means that you are grouping auth and api together in same middleware for all the routes you define underneath it.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.