An API without authentication is like a house without a door. So, let's secure our API by adding an authentication system to it:
- Set up Sanctum Middleware
- Create a User Registration API
- Create a User Login API
Let's get secure!
Setting Up Authentication Middleware
Let's start by securing our API endpoint with a Middleware:
routes/api.php
// ... Route::group(['middleware' => 'auth:sanctum'], function () { Route::apiResource('categories', CategoryController::class); Route::apiResource('transactions', TransactionController::class);});Now, we can immediately try to make an API request using Postman:
This is good! However, we need to create a user registration and login API to authenticate our users.
Registering our First User
So, let's create a way to register a new user. For this, we need a new Controller:
php artisan make:controller Api/AuthControllerIn there, let's add a new method to register a user:
app/Http/Controllers/Api/AuthController.php
use App\Models\User;use Illuminate\Http\Request;use Illuminate\Support\Facades\Hash;use Illuminate\Validation\Rules\Password; // ... public function register(Request $request): string{ $request->validate([ 'name' => 'required|string|max:255', 'email' => 'required|string|email|max:255|unique:users', 'password' => ['required', 'confirmed', Password::defaults()], 'device_name' => 'required', ]); $user = User::create([ 'name' => $request->name, 'email' => $request->email, 'password' => Hash::make($request->password), ]); return $user->createToken($request->device_name)->plainTextToken;}As you can see, we are doing basic validation and user creation...
I would add the sanctum middleware on the logout route. Like this: Route::post('/auth/logout', [AuthController::class, 'logout'])->middleware('auth:sanctum'); . It's more secure.
When I setup the authentication middleware I tried to make an API request using Postman but I don't get the same response as yours and I can't get the token. How to get 'name', 'email', 'password', 'password_confirmation' 'device_name' to appear like yours
Everything that I have set up - is in the screenshot. In this case, I'm sending these parameters as
rawin postmanOh I got it. I tried again and it worked. Thank you very much.
I was able to do every steps of this chapter successfully in my local computer, and test everything using postman. I need your help because when i tried to deploy it on my hosted server i got "message": "Unauthenticated." error message on my api/auth/logout and api/categories. I am able to received the generated token after the login using postman. Did I missed something or do I need additional configuration on my server? Thanks in advance!
You need to send that token with each of your requests as a
Authentication: Bearer ${token}header. Without this - your user is not logged inThanks for the reply, I already included it in the Authorization: Bearer Token, I have no problem running it my local machine but in my server I am still receiving this "message": "Unauthenticated." error.
Try to replicate this behaviour using Postman. It's hard to say what exactly can be an issue there (maybe this can be it, but not sure https://laravel.com/docs/12.x/sanctum#spa-authentication )
I'm getting This after folloing your steps. Whats the reason please? The GET method is not supported for route api/auth/login. Supported methods: POST.
Not sure where you got the
GETfor Login (if it's in tutorial - tell me where)But you do need to send a
POSTrequest therehttps://laravel-api-flutter-api-code.test/api/auth/login
that's were i get the error
Not quite what I asked. But yes, this is a
POSTroute and notGETso you should call thePOSTrequest on itI called the post request but was still getting the error.
How did you call it?
Route::post('/auth/login', [AuthController::class, 'login']);
This is the definition of the route.
I'm specifically referring to:
What were you doing when you got the error back? And how were you doing it?
trying to view api/auth/login
Do i need to be logged in?
API routes have no views on them, so there's nothing to view. They will not work in your browser
I know. I'm using Postman. Should I be expecting 200 ok
If you are sending a POST request, you need to send a
emailandpasswordinside of it. From there, you will get a token response back