Can't access Auth::user() from api route controller?

[ap250733]

Hello, I can log in fine to my LDAP server but when I try to access the Auth::user() in my API route through my controller, I'm getting null. I've tried enabling middleware => auth for my routes but in postman I'm getting

{ "message": "Unauthenticated." }

I've tried installing sanctum, but I can't find any resources online on exactly how to use it while incorporating ldaprecord-laravel. Any ideas would be appreicated, I can post any code snippets as needed. Forgive me if I made any mistakes, I'm still a beginner.

Here is my routes/api.php

Route::group(['middleware' => 'auth'], function() {
    /* Initiators for Header*/
    Route::get('/initiators', function() {
        dd(Auth::user());
    });
});

Here is my config/auth.php

    /*
    |--------------------------------------------------------------------------
    | Authentication Defaults
    |--------------------------------------------------------------------------
    |
    | This option controls the default authentication "guard" and password
    | reset options for your application. You may change these defaults
    | as required, but they're a perfect start for most applications.
    |
    */

    'defaults' => [
        'guard' => 'web',
        'passwords' => 'users',
    ],

    /*
    |--------------------------------------------------------------------------
    | Authentication Guards
    |--------------------------------------------------------------------------
    |
    | Next, you may define every authentication guard for your application.
    | Of course, a great default configuration has been defined for you
    | here which uses session storage and the Eloquent user provider.
    |
    | All authentication drivers have a user provider. This defines how the
    | users are actually retrieved out of your database or other storage
    | mechanisms used by this application to persist your user's data.
    |
    | Supported: "session"
    |
    */

    'guards' => [
        'web' => [
            'driver' => 'session',
            'provider' => 'ldap',
        ],
        'api' => [
            'driver' => 'session',
            'provider' => 'ldap',
            'hash' => false,
        ],
    ],

    /*
    |--------------------------------------------------------------------------
    | User Providers
    |--------------------------------------------------------------------------
    |
    | All authentication drivers have a user provider. This defines how the
    | users are actually retrieved out of your database or other storage
    | mechanisms used by this application to persist your user's data.
    |
    | If you have multiple user tables or models you may configure multiple
    | sources which represent each model / table. These sources may then
    | be assigned to any extra authentication guards you have defined.
    |
    | Supported: "database", "eloquent"
    |
    */

    'providers' => [
        'users' => [
            'driver' => 'eloquent',
            'model' => App\Models\User::class,
        ],

        'ldap' => [
            'driver' => 'ldap',
            'model' => LdapRecord\Models\ActiveDirectory\User::class,
            'rules' => [],
        ],

        // 'users' => [
        //     'driver' => 'database',
        //     'table' => 'users',
        // ],
    ],

    /*
    |--------------------------------------------------------------------------
    | Resetting Passwords
    |--------------------------------------------------------------------------
    |
    | You may specify multiple password reset configurations if you have more
    | than one user table or model in the application and you want to have
    | separate password reset settings based on the specific user types.
    |
    | The expire time is the number of minutes that the reset token should be
    | considered valid. This security feature keeps tokens short-lived so
    | they have less time to be guessed. You may change this as needed.
    |
    */

    // 'providers' => [
    //     // ...
    
    //     'users' => [
    //         'driver' => 'ldap',
    //         'model' => LdapRecord\Models\ActiveDirectory\User::class, //Change to ActiveDirectory
    //         'rules' => [],
    //     ],
    // ],

    /*
    |--------------------------------------------------------------------------
    | Password Confirmation Timeout
    |--------------------------------------------------------------------------
    |
    | Here you may define the amount of seconds before a password confirmation
    | times out and the user is prompted to re-enter their password via the
    | confirmation screen. By default, the timeout lasts for three hours.
    |
    */

    'password_timeout' => 10800,

Any help, ideas would be appreciated, thank you.

[stevebauman]

Hi @ap250733,

How are you authenticating with Postman? If you're trying to use a session driver with your API routes, the session isn't likely being setup due to Kernel.php:

https://github.com/laravel/laravel/blob/f7b982ebdf7bd31eda9f05f901bd92ed32446156/app/Http/Kernel.php#L35

Notice how the StartSession::class is not inside of the api middleware group. This is intended, as API requests should be stateless.

If you're using Sanctum, you will have to create your own API authentication route that creates a Sanctum API token after you Auth::attempt()/Auth::validate() a user. Sanctum provides documentation on creating this route:

https://laravel.com/docs/9.x/sanctum#issuing-mobile-api-tokens

Here is their example:

use App\Models\User;
use Illuminate\Http\Request;
use Illuminate\Support\Facades\Hash;
use Illuminate\Validation\ValidationException;
 
Route::post('/sanctum/token', function (Request $request) {
    $request->validate([
        'email' => 'required|email',
        'password' => 'required',
        'device_name' => 'required',
    ]);
 
    $user = User::where('email', $request->email)->first();
 
    if (! $user || ! Hash::check($request->password, $user->password)) {
        throw ValidationException::withMessages([
            'email' => ['The provided credentials are incorrect.'],
        ]);
    }
 
    return $user->createToken($request->device_name)->plainTextToken;
});

You could modify the above controller to work with LdpRecord with an Auth::validate() call like so:

Route::post('/sanctum/token', function (Request $request) {
    $request->validate([
        'email' => 'required|email',
        'password' => 'required',
        'device_name' => 'required',
    ]);

    $ldapCredentials = [
        'mail' => $request->email,
        'password' => $request->password,
    ];
 
    if (! Auth::validate($ldapCredentials)) {
        throw ValidationException::withMessages([
            'email' => ['The provided credentials are incorrect.'],
        ]);
    }
 
    return Auth::getLastAttempted()->createToken($request->device_name)->plainTextToken;
});

Once you've authenticated and have received the plain text token via your auth route above, you will then keep that token to authenticate further requests with Postman by placing the token inside of an Authorization: Bearer <token> header.