All you need to do is conditionally apply the auth:sanctum middleware.
#Make certain endpoints available without authentication, rest with authentication only with laravel
hexed pasture
It’s better to read the official Laravel docs, rather than hopping from blog post to blog post that are written by people are various knowledge levels hoping to find a code snippet that does exactly what you want.
earnest surge
the problem is, I did.
I added the authenticated method to the login controller, so when you actually sign in, you get the token returned. But whenever you try to reach anything that has the auth sanctum middleware, it just refuses to give you permission
so even if you should have permission, it returns 401 saying you don't
to be exact, this is what I followed, mostly: https://laravel.com/docs/10.x/sanctum#spa-configuration
torn jackal
So, you've applied the Sanctum middleware to the create/update/destroy routes of a Controller and it gives a 401, that's good. This probably just means there is some misconfiguration in your .env and/or config. I assume you were still able to access the index/show routes.
Issue could be in a bunch of places. Please share your .env (remove any sensitive data), config/auth.php and app/http/kernel.php
earnest surge
Quick question. In (vue) axios, should I make a request for the token every time the user does *something, that is protected by sanctum? or is it okay if I just set it in local storage, cache or cookie?
that might be a problem
bc now I just regularly sign in the user with the default login method, so no axios requests are targeting the token (again), only on first login
hexed pasture
Quick question. In (vue) axios, should I make a request for the token every time...
Sanctum was created to avoid storing tokens in insecure client-side storage like localStorage and unencrypted cookies.
If you have a JavaScript front-end, use cookie authentication.
earnest surge
I use blade for frontend, and some vue components to display and manipulate data
it's a "webshop", I think we could pretty much call it that
so basically I need to create an endpoint that returns the token that belongs to the user and is not expired, and whenever I do a request, I need to make a request to that endpoint?
OR
just pass the token whenever the user logs in. But then here comes another problem: whenever the user is authenticated, a new token is issued to them ( return $user->createToken($request->device_name)->plainTextToken;) (taken from documentation)
This is my first-ever time working with tokens and sanctum, so I'm a bit clueless.
hexed pasture
Are you using Sanctum for anything else?
earnest surge
I only want to use sanctum to restrict access on some product api methods, for logged in users only.
so basically
store, update, delete: require logged in user
index, show: doesn't require logged in user
earnest surge
I kind of feel like giving up this token thing to be honest, thought I'm capable of setting it up properly as needed but seems like I'm not.
autumn mason
Not sure i understand the problem fully, if it's what i think it is then literally the link here from Martin, scroll down a bit to protecting routes - then checkout route groups, in the end put your protected routes in a route group with middleware then the public routes outside of the group..without middleware and that's it..
earnest surge
so even if you should have permission, it returns 401 saying you don't
if I do that ^