I'm currently building an API using Laravel and need two different authentication types and would just like some input on weather I'm thinking correctly before implementing everything.
The API will have a React application that makes requests that will be hosted on the same top domain as the API. I need to use stateful authentication for this as it will link to routes that generate streamed PDFs where the user has to be authenticated. An example is that they login within the React app, makes a few things within the React app that makes requests to the API and then at the end there will be a link to a PDF. This PDF will contain user-specific data and therefore I need the user to be authenticated when generating the PDF. My guess is that I need stateful authentication for this since I can't send Authorization headers using a link?
The API will also have a route group that will be used by external apps on different domains that has to be protected using API Tokens. The stateful authentication should preferably not work on these routes.
How should I go about creating this setup? Is Laravel Sanctum enough for this using SPA Auth for the main routes and Token Auth for the other ones? Can I stop the SPA Auth from working on the other routes? I did a quick setup to test and did come across an issue that makes me question weather this will work or not. That issue is that when I logged in using Postman on my PC and then asked my colleague to make a request using Postman on his PC Sanctum acted as if he was logged in and it seamed like we shared session data for the currently logged in user?
Is that a configuration issue on my end or is that the way it's supposed to work and that it isn't the right way for me to go about implementing this?
Thanks in advance!
