Auth::Check 始终为假，但验证成功 - Laravel 8

Question

I am currently trying to learn Laravel and I'm hitting a problem with the authentication. I am trying to create an API only laravel project, I'm not using any of the Vue or Blade template files and for the time being have turned off the CSRF validation as I think that was causing me some issues as well when using Insomnia Rest API Client (just want to get the basics initially).

I have two simple API routes, one that does the login and one that checks I am logged in that should return the user details.

I am using my own database and Users model to do the authentication.

My Users model is as follows:

<?php

namespace App\Models;

use Illuminate\Foundation\Auth\User as Authenticatable;
use Illuminate\Database\Eloquent\Factories\HasFactory;
use Illuminate\Database\Eloquent\Model;
use Illuminate\Support\Facades\Auth;

class Users extends Authenticatable
{
    use HasFactory;

    protected $table = "users";
    protected $primaryKey = "UserID";

    protected $casts = [
        "IsActive" => "boolean"
    ];
}

In my api.php I have the following

Route::prefix("/login") ->group(__DIR__ . '/login.php');

Then in login.php I have the following

use Illuminate\Support\Facades\Route;
use App\Http\Controllers\LoginController;
Route::post('/', [LoginController::class, 'login']);
Route::get('/', [LoginController::class, 'getLoggedInUser']);

My LoginController class is set up as follows:

namespace App\Http\Controllers;

use App\Models\Users as User;
use Illuminate\Http\Request;

class LoginController extends Controller
{
    public function __construct()
    {
        $this->middleware('auth:api')->except('login', 'getLoggedInUser');
        //$this->middleware('admin')->except('login', 'forgot', 'getLoggedInUser');
    }

Then in my LoginController I have the following for the post login request to actually perform the authentication:

public function login(Request $request)
    {
        $user = User::where("Username", "my_username")->where("Password", "my_password")->first();

        if ($user !== null)
        {
            if ($user->AccountActive)
            {
                \Auth::login($user);
                
                return \response(["status" => "authenticated", "auth'd user" => \Auth::user(), "logged_in" => \Auth::check()], 200);
            }
            else
            {
                return \response(["status" => "Your account has been disabled"], 401);
            }
        }
        else
        {
            return \response(["status" => "failed"], 401);
        }
    }

As you can see above, I'm currently hard coding the user credentials currently using the string values that are in the database instead of checking anything in the request currently.

The above login returns the following response:

{
  "status": "authenticated",
  "auth'd user": {
    "UserID": 1,
    "LastLoggedIn": "2020-01-16 18:29:37",
    "Username": "my_username",
    "Password": "my_password",
    "AuthToken": "0",
    "Email": "",
    "AccountActive": "1"
  },
  "logged_in": true
}

In my check if I am logged in route, I have the following:

public function getLoggedInUser(Request $request)
    {
        return [
            "logged_in" => \Auth::check(),
            "status" => "success",
            "user" => \Auth::user()
        ];
    }

When I do the above I then get the following response:

{
  "logged_in": false,
  "status": "success",
  "user": null
}

So as you can see its acting as if I'm no longer authenticated.

Answer 1

HTTP requests are stateless, to get around this things like sessions are used to store state between requests. Even though you have authenticated yourself via login, no state has been retained anywhere to associate requests with you.

APIs don't use sessions therefore you need some other mechanism to send along with each subsequent request which can be checked by the server to determine who has made the request and if they are authorised to perform the requested action.

For Laravel, this is where the Sanctum and Passport packages come in. They provide auth workflows for APIs.

Whilst everyones learning journey is different and people learn in different ways, I feel like you might be making your learning Laravel more difficult than it needs to be by avoiding using the packages it provides. After all, one of the reasons for using Laravel, or any sort of framework for that matter, is to leverage the features it provides to simplify your life.