Unauthenticated response | Laravel | Page 1

tardy vine Jul 26, 2023, 10:39 AM

#

Hi guys, could anyone help me with an authentication issue? Whenever I send a POST request from another app to my Laravel app, I get back {"message": "Unauthenticated."}. I'm running Laravel 8, using sanctum and attaching a generated PAT to my request as a bearer token.
The route is under the auth:sanctum middleware.

I tracked it to a point where it looks like the request is checked for an attached user, which is not there.

barren heart Jul 26, 2023, 10:53 AM

#

Check if the received request contains the auth header. If it's a cross-origin ajax request and the header isn't allowed in the cors config it will be removed.

tardy vine Jul 26, 2023, 10:58 AM

#

Could you point me to where it gets stripped off? I still see it at sendRequestThroughRouter().

barren heart Jul 26, 2023, 11:00 AM

#

That would be the HandleCors middleware

tardy vine Jul 26, 2023, 11:00 AM

#

Don't know if its relevant, but my cors.php contains 'allowed_headers' => ['*']

barren heart Jul 26, 2023, 11:00 AM

#

Is the domain you're sending the request from allowed in config/sanctum.php?

#

Sorry, that's only relevant for stateful auth, not bearer token.

tardy vine Jul 26, 2023, 11:03 AM

#

I do need to mention there are parts of the app not made by me

tardy vine Jul 26, 2023, 11:04 AM

#

barren heart Is the domain you're sending the request from allowed in config/sanctum.php?

Actually, I'm sending it form a C# app on my pc

barren heart Jul 26, 2023, 11:05 AM

#

The actual authentication happens in Laravel\Sanctum\Guard. I would check there to see what's wrong.

#

Could also be that you're simply using the wrong token 😉

tardy vine Jul 26, 2023, 11:11 AM

#

I checked the token, it should be correct

#

It doens't even seem to reach the __invoke of Guard 😦

#

I don't understand, it's not even checking the token

#

Could my route be under the wrong middleware?

#

Is the token in the request supposed to be linked to a user at a later time? If so, does anyone know where?

barren heart Jul 26, 2023, 12:08 PM

#

Does the route use the auth:sanctum middleware?

tardy vine Jul 26, 2023, 12:09 PM

#

Yes

#

Is auth:sanctum only meant for requests containing users?

barren heart Jul 26, 2023, 12:14 PM

#

It's meant for all non-public routes. The token belongs to a User model (which uses the HasApiTokens trait). So the sanctum guard identifies the user from the bearer token.

#

Try running artisan route:list to see all the middleware used by that route.

tardy vine Jul 26, 2023, 1:54 PM

#

Hi Mono, sorry for the late reply, I went down kind of a rabbithole

#

So route:list points me here:
App\Http\Middleware\Authenticate:sanctum

#

Except I can't find what that refers to

#

I finally figured out I'm supposed to reach actingAs in my Sanctum.php, but my request keeps getting rejected before that even happens

#

It's super frustating, I can see the only guard that's being checked is Sanctum and yet

#

In my auth.php I have this:
'sanctum' => [
'driver' => 'session',
'provider' => 'users',
],

#Unauthenticated response