Laravel 8.x automatically assigning unwanted guards to api route

[rummanrc]

• Laravel Version: 8.15.0
• PHP Version: 7.4.11
• Database Driver & Version: MySQL 8.0

Description:

Although I'm assigning only one guard through the auth middleware e.g: auth:admin (I've also tried Auth::shouldUse('admin') ) Laravel automatically assigns multiple guards: api, user and admin
Weirdly enough, for the auth:user guard, it only assigns 2 guards: api and user.
So, my admin with id 2, gets access to the user with id 2.

Out of curiosity I created a laravel 7 project and tested my same code, and there I don't have this guard issue. auth:admin only gets admin guard, auth:user only gets user guard. So I'm pretty sure it's a 8.x specific issue.

Steps To Reproduce:

1. Create 2 separate guards in the config/auth.php file with providers (different models too)

    'guards' => [
    'web' => [
        'driver' => 'session',
        'provider' => 'users',
    ],
   
    'api' => [
        'driver' => 'jwt',
        'provider' => 'users',
        //'hash' => false,
    ],
   
    'user' => [
        'driver' => 'jwt',
        'provider' => 'users',
        //'hash' => false,
    ],
   
    'admin' => [
        'driver' => 'jwt',
        'provider' => 'admins',
    ],
    ],
   

2. I'm using driver jwt as I'm using tymon/jwt-auth package

3. Using the following controller method to login as my Admin

    public function login()
    {
        $credentials = request()->only(['username', 'password']);
        
        if (! $token = auth()->guard('admin')->attempt($credentials)) {
            return response()->json(['error' => 'Unauthorized'], 401);
        }

        return $this->respondWithToken($token);
    }
    protected function respondWithToken($token)
    {
        return response()->json([
            'access_token' => $token,
            'token_type' => 'bearer',
            'expires_in' => 300,//auth()->factory()->getTTL() * 60
        ]);
    }

    /**
     * Get the guard to be used during authentication.
     *
     * @return \Illuminate\Contracts\Auth\Guard
     */
//    public function guard()
//    {
//        return Auth::guard('admin');
//    }
}

4. Defined routes in the routes/api.php as follows:

Route::group([

    'middleware' => ['auth:user'],
    'namespace' => 'App\Http\Controllers\Employee',

], function ($router) {

    Route::post('login', 'AuthController@login');
    Route::post('logout', 'AuthController@logout');
    Route::post('refresh', 'AuthController@refresh');
    Route::post('me', 'AuthController@me');

});

Route::group([

    'middleware' => ['auth:admin'],
    'namespace' => 'App\Http\Controllers\Admin',
    'prefix' => 'admin',

], function ($router) {

    Route::post('login', 'AuthController@login');
    Route::post('logout', 'AuthController@logout');
    Route::post('refresh', 'AuthController@refresh');
    Route::post('me', 'AuthController@me');

});

5. Sent an API request to login as admin, logged in successfully and received a token

6. Used the token on a user route (/me) and it responded with the user of same id.

7. Went to tinker to check the guards and this is the outcome:
   

8. Also checked from inside a function, admin gets 3 guards in total: api, user, admin

        $guradlist = [];
        $guards = array_keys(config('auth.guards'));
        foreach ($guards as $guard) {
            if(Auth::guard($guard)->check()) $guradlist[] = $guard;
        }

        return response()->json(['access'=>$guradlist, 'userdata'=>auth()->user()]);

[driesvints]

Can you maybe set up a test repo of a fresh install to reproduce this? With the bare minimum changes needed to reproduce this behavior. Please commit your changes separately from the skeleton.

[taylorotwell]

I don't know what you mean when you say "gets a guard".

[taylorotwell]

I mean to me it makes sense a request would pass for both api and user guards... they literally have the exact same configuration.

[rummanrc]

So I started from scratch and right after the LDAP login it started showing the issues.
@driesvints here is the git repo you asked for:
https://github.com/rummanrc/laravelguardissue8/tree/main
first master branch is just the base, then the ldap_login_user branch contains ldap login implementation (just like my main project), the issues begin on this branch.

This is the env config for the publicly available LDAP server I'm using to test:

LDAP_CONNECTION=default
LDAP_BASE_DN='dc=example,dc=com'
LDAP_LOGGING=true
LDAP_HOSTS=ldap.forumsys.com
LDAP_PORT=389
LDAP_TIMEOUT=5
LDAP_SSL=false
LDAP_TLS=false
LDAP_USERNAME=cn=read-only-admin,dc=example,dc=com
LDAP_PASSWORD=password

Not sure if laravel has anything to do with it, at this point. I'll check out the adldap2 repo for more info