#"throttle:api" is breaking "/api/user" with Sanctum

I have been stuck at this for hours just to find that it might be a bug from the Sanctum package itself.

I have the endpoint below:

// routes/api.php

Route::middleware('auth:sanctum')->get('/user', function (Request $request) {
    return $request->user();
});

It keeps returning 401 unauthenticated message in my Nuxt app even after a successful login. If I try to login again the /api/login endpoint does detect that I'm already logged in and tries to redirect me. The only way I managed to get it to work is by commeting out throttle:api in the following:

// app/Http/Kernel.php

'api' => [
    \Laravel\Sanctum\Http\Middleware\EnsureFrontendRequestsAreStateful::class,
    // 'throttle:api',
    \App\Http\Middleware\EncryptCookies::class,
    \Illuminate\Session\Middleware\StartSession::class,
    \Illuminate\Routing\Middleware\SubstituteBindings::class,
],

I initially found the solution through an old GitHub issue (https://github.com/laravel/sanctum/issues/369). Seems like the issue was never solved or discussed since I couldn't find any other posts about it. Thanks in advance

Sounds like your nuxt app is hitting the route repeatedly and this is more of a nuxt issue

I’d recommend trying this library: https://auth.nuxtjs.org/providers/laravel-sanctum/

@safe hollow Did you read the post?

look into middleware order in the http kernel, throttle api expects a user, and is probably firing first

this can cause issues when using non standard guards

https://laravel.com/docs/9.x/middleware#sorting-middleware

this has wasted enough of my time so I just moved to vue instead of nuxt due to this error

so it WAS the frontend that was causing it?

No, Sanctum doesn’t work properly with external SPAs apparently

"tries to redirect me"

Sounds like you're missing an accept header for your http calls