Search code examples
laravellaravel-passport

Laravel Passport - Automatically bypass OAuth for local Javascript requests instead of displaying "Unauthenticated."

I've got Passport up and running. My application contains JavaScript AJAX that connects to my API. I'm trying to make it so it just works based on the Session instead of having to go through the whole OAuth system.

In the documentation, it looks like this is possible: https://laravel.com/docs/5.4/passport#consuming-your-api-with-javascript

However, I'm currently getting "Unauthenticated."

Kernel.php:

protected $middlewareGroups = [
    'web' => [
        \App\Http\Middleware\EncryptCookies::class,
        \Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse::class,
        \Illuminate\Session\Middleware\StartSession::class,
        // \Illuminate\Session\Middleware\AuthenticateSession::class,
        \Illuminate\View\Middleware\ShareErrorsFromSession::class,
        \App\Http\Middleware\VerifyCsrfToken::class,
        \Illuminate\Routing\Middleware\SubstituteBindings::class,
        \Laravel\Passport\Http\Middleware\CreateFreshApiToken::class,
    ],

    'api' => [
        \App\Http\Middleware\EncryptCookies::class,
        \Illuminate\Session\Middleware\StartSession::class,
        \App\Http\Middleware\VerifyParametersMiddleware::class,
        'throttle:60,1',
        'bindings',
    ],
];

An example api.php route:

Route::group(['middleware' => ['auth:api']], function () {
    Route::resource('canvas-item', 'CanvasItemController',
        [
            'only' => [
                'index',  // GET    api/canvas-item
                'store',  // POST   api/canvas-item
                'update', // PUT    api/canvas-item/{canvas-item-id}
                'destroy' // DELETE api/canvas-item/{canvas-item-id}
            ],
        ]
    );
});

An example JavaScript request:

function ajaxRequest() {
    $.APIAjax({
        url: '{{ url('api/canvas-item') }}',
        type: 'POST',
        data: {
             testing: null
        },
        success: function(jsonResponse) {},
        error: function(jsonResponse) {}
    });
}

$.ajaxSetup({
    headers: {
        'X-CSRF-TOKEN': token
    }
});

The headers that the documentation is asking for have been set correctly:

X-CSRF-TOKEN    
"<tokenhere>"
X-Requested-With    
"XMLHttpRequest"

Any ideas of how I can get past 'Unauthenticated.' if the request is coming from the same server?

Thanks!

Solution

  • Removing

    \App\Http\Middleware\EncryptCookies::class,

    From Kernel.php

    Allowed the API routes to be authenticated properly. Please let me know if this is not an official/secure way of dealing with this problem.