I have a test that is failing unexpectedly, and I'm wondering if there's something obvious I'm missing. Basically, I want to test an API endpoint returns the appropriate responses depending on common case scenarios (unauthenticated user, forbidden actions, invalid data, valid data, etc).
I am using sanctum and (to me), it does not make sense for this api endpoint to work with other forms of authentication. However, this test is failing.
PostControllerTest
public function test_should_return_401()
{
$user = User::factory()->create();
$response = $this->actingAs($user, 'web')->postJson(route('posts.store'), []);
$response->assertStatus(401);
}
I have checked the route is using the auth:sanctum middleware.
routes/api.php
Route::middleware(['auth:sanctum'])->group(function () {
Route::apiResource('posts');
});
And there does not seem to be anything out of the ordinary in the default middleware...
Middleware/Kernel
protected $middlewareGroups = [
'api' => [
\Laravel\Sanctum\Http\Middleware\EnsureFrontendRequestsAreStateful::class,
'throttle:api',
\Illuminate\Routing\Middleware\SubstituteBindings::class,
],
];
...or the service provider.
RouteServiceProvider
public function boot()
{
$this->configureRateLimiting();
$this->routes(function () {
Route::middleware('api')
->prefix('api')
->group(base_path('routes/api.php'));
});
}
Am I missing something or is this expected behavior?
It would not fail since you can use the same middleware
auth:sanctumfor both web and api call, and as it is written in the DocsYou can limit out the API routes to only stateless request by commenting out the middleware