自定義中間件 Laravel 不適用於 api 路由

Question

我有中間件調用 user 來過濾我的數據庫用戶表上的角色。 這是我的中間件叫用戶

<?php

namespace App\Http\Middleware;

use Closure;
use Auth;
use UsersData;
class User
{
    /**
     * Handle an incoming request.
     *
     * @param  \Illuminate\Http\Request  $request
     * @param  \Closure  $next
     * @return mixed
     */
    public function handle($request, Closure $next)
    {
        if(Auth::check() && Auth::User()->role=='user'){
            return $next($request);
        }
        return redirect()->route('login')->with('danger',"You don't have an access");
    }
}

我已經在內核中注冊了我的中間件

protected $routeMiddleware = [
        'auth' => \Illuminate\Auth\Middleware\Authenticate::class,
        'auth.basic' => \Illuminate\Auth\Middleware\AuthenticateWithBasicAuth::class,
        'bindings' => \Illuminate\Routing\Middleware\SubstituteBindings::class,
        'can' => \Illuminate\Auth\Middleware\Authorize::class,
        'guest' => \App\Http\Middleware\RedirectIfAuthenticated::class,
        'throttle' => \Illuminate\Routing\Middleware\ThrottleRequests::class,
        'user' => \App\Http\Middleware\User::class,
        'ajax' => \App\Http\Middleware\Ajax::class,
    ];

以及api.php的路由

Route::middleware('user')->group(function () {
        Route::post('province','ApiController@getcity')->name('api.getcity');
        Route::post('courier/getcost','ApiController@getCourierCost')->name('api.getcouriercost');
    });

更新config/auth.php這里是守衛

<?php

return [

    /*
    |--------------------------------------------------------------------------
    | Authentication Defaults
    |--------------------------------------------------------------------------
    |
    | This option controls the default authentication "guard" and password
    | reset options for your application. You may change these defaults
    | as required, but they're a perfect start for most applications.
    |
    */

    'defaults' => [
        'guard' => 'web',
        'passwords' => 'users',
    ],

    /*
    |--------------------------------------------------------------------------
    | Authentication Guards
    |--------------------------------------------------------------------------
    |
    | Next, you may define every authentication guard for your application.
    | Of course, a great default configuration has been defined for you
    | here which uses session storage and the Eloquent user provider.
    |
    | All authentication drivers have a user provider. This defines how the
    | users are actually retrieved out of your database or other storage
    | mechanisms used by this application to persist your user's data.
    |
    | Supported: "session", "token"
    |
    */

    'guards' => [
        'web' => [
            'driver' => 'session',
            'provider' => 'users',
        ],

        'api' => [
            'driver' => 'token',
            'provider' => 'users',
        ],
    ],

    /*
    |--------------------------------------------------------------------------
    | User Providers
    |--------------------------------------------------------------------------
    |
    | All authentication drivers have a user provider. This defines how the
    | users are actually retrieved out of your database or other storage
    | mechanisms used by this application to persist your user's data.
    |
    | If you have multiple user tables or models you may configure multiple
    | sources which represent each model / table. These sources may then
    | be assigned to any extra authentication guards you have defined.
    |
    | Supported: "database", "eloquent"
    |
    */

    'providers' => [
        'users' => [
            'driver' => 'eloquent',
            'model' => App\User::class,
        ],

        // 'users' => [
        //     'driver' => 'database',
        //     'table' => 'users',
        // ],
    ],

    /*
    |--------------------------------------------------------------------------
    | Resetting Passwords
    |--------------------------------------------------------------------------
    |
    | You may specify multiple password reset configurations if you have more
    | than one user table or model in the application and you want to have
    | separate password reset settings based on the specific user types.
    |
    | The expire time is the number of minutes that the reset token should be
    | considered valid. This security feature keeps tokens short-lived so
    | they have less time to be guessed. You may change this as needed.
    |
    */

    'passwords' => [
        'users' => [
            'provider' => 'users',
            'table' => 'password_resets',
            'expire' => 60,
        ],
    ],

];

一切都適用於web.php路由，但是這個api.php不起作用？

如果您發表評論，我真的很感激！

Answer 1

在 ajax 請求中，您不能像這樣檢查身份驗證：

Auth::check();

因為在 ajax 中你沒有任何會話。 當每個用戶發送第一個登錄請求時，您必須為每個用戶發送一個隨機密鑰，當登錄成功時，將其保存在他的數據庫中的密鑰字段中，然后當他想發送請求時，他必須發送密鑰，並且您如果可以讓他進入，將使用數據庫中的密鑰檢查密鑰。

Answer 2

我們為 web (web.php) 和 API (api.php) 設置單獨的路由文件的原因之一是因為它們使用不同的身份驗證方法。 第一個是通常的方式（ Web Auth ），第二個是API Auth ，@Babak 在他/她的回答中已經提到過。

API 身份驗證是無狀態的，它需要在每個請求上生成令牌並記錄在單獨的表中，並以user_id作為user_id foreign key 。 沒有用於驗證 API 用戶的登錄頁面，但您可以使用通常的登錄頁面讓他們請求API Token並使用它來訪問 API。 您可以使用各種方法來檢查他們的API Token驗證，例如將其作為Bearer放在request header ，或將其包含在request body Bearer 。