Laravel-permission: Laravel Sanctum guard issue

Created on 5 Mar 2020  路  8Comments  路  Source: spatie/laravel-permission

Hello,

I am using Laravel AirLock to authenticate SPA. The auth.config file has default guard as "web" and the order of guards array also contains first key as "web".

When I create any roles or permissions using Role::create(['name' => 'admin')] or Permission::create(['name' => 'access-config']) it creates with guard name as "airlock".

Do we need to change any configuration if use AirLock authentication method?

support
Source
picture ScriptMintSolution
👍5

Most helpful comment

hi there i'm using Sanctum to autenticate my SPA, so when i create a role the guard is web is this fine or the guard has to be `sanctum?

picture IsidroMar95 on 16 Jun 2020
👍2

All 8 comments

Seems like setting auth.defaults.guard config as sanctum (or airlock) solves it. I don't know if it would make any difference but I should probably mention that my Laravel app is an API only app. Both the HTTP tests (using Sanctum::actingAs()) and the Vue SPA work perfectly right now.

hkan picture hkan on 7 Apr 2020

If your roles/permissions are intended to be used with a specific guard, then when you create the role/permission be sure to pass the desired guard_name for which it applies, else it will guess based on the order listed in the auth config file.

drbyte picture drbyte on 7 Apr 2020

I can't see any benefits for taking the first item from auth.guards config. Why not just use auth.defaults.guard? Is there a specific reason for doing it that way?

hkan picture hkan on 7 Apr 2020

I can't see any benefits for taking the first item from auth.guards config. Why not just use auth.defaults.guard? Is there a specific reason for doing it that way?

Legacy stuff introduced in v2.0

There's a PR open to potentially change it, but I'm concerned about it being breaking-changes because of the long-time use of that approach for several years. So it'll probably mean bumping a major version to bring it in.

That said, there's still plenty of reason for you to be specific about which guard you want used when creating roles/permissions, because they are ALWAYS guard-specific, not generic.

drbyte picture drbyte on 7 Apr 2020

the problem it's still here and it's worse than it seems.

i've just clean installed Sanctum, moving from passport, and the package discovered the guards on it's own as soon as sanctum were installed, even without altering the pristine auth config, which would contain auth.default.guard = web and having only webinto the defined guards

since sanctum (seems) to work ontop of the web guards, it would be more logical imho to just dont let the package discover guards automatically at all:
that's not only for sanctum, but for every other possible implementation of a guard which doesn't declare itself explicitly.
it would be "Safer" to just let the dev provide explicitly into permission.php config which guards to list.

Ragash picture Ragash on 12 May 2020

@Ragash yeah the whole auto-discovery thing is rather flimsy. See the last commit on my fork for the simplest way to change it.

hkan picture hkan on 12 May 2020
👍1

hi there i'm using Sanctum to autenticate my SPA, so when i create a role the guard is web is this fine or the guard has to be `sanctum?

IsidroMar95 picture IsidroMar95 on 16 Jun 2020
👍2

@hkan thanks for the insight mate, for now i simply declared explicitly in my controller which guard to use, but yes your solution is something spatie should take in consideration imho :)

@IsidroMar95 yep, you HAVE to use the web guard (sanctum operates on top of that)

Ragash picture Ragash on 16 Jun 2020
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

notflip picture notflip  路  3Comments
neoreids picture neoreids  路  3Comments
feliperoan picture feliperoan  路  3Comments
holymp2006 picture holymp2006  路  4Comments
ergonomicus picture ergonomicus  路  3Comments