Laravel-permission: Using Laravel-permission middleware in API routes

Created on 5 Jul 2018 · 5Comments · Source: spatie/laravel-permission

I realize this might be a dumb question but do you guys have experience with securing API calls using laravel-permission plugin in API routes?

The user is always making the request through Javascript but since the code is executed at the server auth()->user() is null.

Anyone has any experience with this?

support

Source

jurgenbosch

Most helpful comment

I fixed it.

I added Laravel passport to the application.
See: https://laravel.com/docs/5.6/passport and also pay attention to the Javascript API section https://laravel.com/docs/5.6/passport#consuming-your-api-with-javascript

Once done I added a group in my api routes with 2 middlewares; auth:api and role:manager.
Done! :)

Passport with javascript support creates a cookie that it sends with every request.
Laravel is able to validate that cookie for authentication on the user that is performing the request. Once that user is known the role or permission can be checked by Spatie's laravel-permission package.

Actually quite cool 🥇

This is how my route group looks like in api.php
Route::group(['middleware' => ['auth:api', 'role:manager']], function() { // Routes here });

jurgenbosch on 12 Jul 2018

👍8 🚀1

All 5 comments

Any ideas?

jurgenbosch on 11 Jul 2018

How are your users authenticating when connecting with javascript? What sort of auth are you implementing here?

drbyte on 11 Jul 2018

I fixed it.

I added Laravel passport to the application.
See: https://laravel.com/docs/5.6/passport and also pay attention to the Javascript API section https://laravel.com/docs/5.6/passport#consuming-your-api-with-javascript

Once done I added a group in my api routes with 2 middlewares; auth:api and role:manager.
Done! :)

Passport with javascript support creates a cookie that it sends with every request.
Laravel is able to validate that cookie for authentication on the user that is performing the request. Once that user is known the role or permission can be checked by Spatie's laravel-permission package.

Actually quite cool 🥇

This is how my route group looks like in api.php
Route::group(['middleware' => ['auth:api', 'role:manager']], function() { // Routes here });

jurgenbosch on 12 Jul 2018

👍8 🚀1

... creates a cookie that it sends with every request.
Laravel is able to validate that cookie for authentication on the user that is performing the request. Once that user is known the role or permission can be checked by Spatie's laravel-permission package.

👍

drbyte on 12 Jul 2018

I fixed it.

I added Laravel passport to the application.
See: https://laravel.com/docs/5.6/passport and also pay attention to the Javascript API section https://laravel.com/docs/5.6/passport#consuming-your-api-with-javascript

Once done I added a group in my api routes with 2 middlewares; auth:api and role:manager.
Done! :)

Passport with javascript support creates a cookie that it sends with every request.
Laravel is able to validate that cookie for authentication on the user that is performing the request. Once that user is known the role or permission can be checked by Spatie's laravel-permission package.

Actually quite cool 🥇

This is how my route group looks like in api.php
Route::group(['middleware' => ['auth:api', 'role:manager']], function() { // Routes here });

@jurgenbosch Thanks for this info, it was a big help.

dbarrington on 7 Jan 2019

Was this page helpful?

0 / 5 - 0 ratings

Related issues

How to use as an include in a fractal transformer?

devingray · 3Comments

Can we update or sync roles and permissions?

ergonomicus · 3Comments

How to disable multi-guards functionality?

ghost · 3Comments

How to run tests with ~50 permissions

bhulsman · 3Comments

Recommended pattern for seeding/updating

vpratfr · 4Comments