I'm currently building an API using Laravel and need two different authentication types and would just like some input on weather I'm thinking correctly before implementing everything.
The API will have a React application that makes requests that will be hosted on the same top domain as the API. I need to use stateful authentication for this as it will link to routes that generate streamed PDFs where the user has to be authenticated. An example is that they login within the React app, makes a few things within the React app that makes requests to the API and then at the end there will be a link to a PDF. This PDF will contain user-specific data and therefore I need the user to be authenticated when generating the PDF. My guess is that I need stateful authentication for this since I can't send Authorization headers using a link?
The API will also have a route group that will be used by external apps on different domains that has to be protected using API Tokens. The stateful authentication should preferably not work on these routes.
How should I go about creating this setup? Is Laravel Sanctum enough for this using SPA Auth for the main routes and Token Auth for the other ones? Can I stop the SPA Auth from working on the other routes? I did a quick setup to test and did come across an issue that makes me question weather this will work or not. That issue is that when I logged in using Postman on my PC and then asked my colleague to make a request using Postman on his PC Sanctum acted as if he was logged in and it seamed like we shared session data for the currently logged in user?
Is that a configuration issue on my end or is that the way it's supposed to work and that it isn't the right way for me to go about implementing this?
Thanks in advance!
Stateful authentication
For your React App, you can use Laravel Sanctum’s stateful authentication. This will make your React to authenticate using cookies, when you need to access routes that generate streamed PDFs.
Token Authentication
External apps can use token-based authentication, which is another feature offered by Sanctum. Use the `auth:api` middleware for routes that require token-based authentication. External apps will send an Authorization header with their requests.The issue you described which different Postman clients seem to share session data seems unusual. Sanctum's stateful sessions should be bound to a specific browser or client session, so multiple Postman clients should not share the same session unless they're using the same cookie or session data.
I think with the right configuration, Laravel Sanctum should be suitable for your needs. Read its documentation and test every to make sure that your implementation works correctly.
Finally, if you feel that Sanctum might not fully address your requirements, you can consider other Laravel authentication packages like Passport, but for most SPA and simple API scenarios, Sanctum is more than sufficient.