Laravel Sanctum通過簡單令牌機(jī)制保護(hù)API路由，適用於SPAs、移動應(yīng)用等場景。安裝需執(zhí)行composer require laravel/sanctum並發(fā)布遷移文件後運(yùn)行遷移命令；用戶模型添加HasApiTokens特性以支持令牌管理。認(rèn)證路由使用auth:sanctum中間件保護(hù)，默認(rèn)定義在routes/api.php中，並確保請求包含Accept: application/json頭。生成令牌通過創(chuàng)建登錄端點(diǎn)驗(yàn)證用戶憑證並調(diào)用createToken方法返回plainTextToken；客戶端存儲令牌並在請求頭中攜帶Authorization: Bearer 。註銷時(shí)調(diào)用currentAccessToken()->delete()使當(dāng)前令牌失效?？缬蛘埱笮枧渲胏onfig/cors.php允許來源、憑據(jù)及必要頭信息；若用於SPA還需啟用EnsureFrontendRequestsAreStateful中間件並處理同源或CSRF問題。

When you're building RESTful APIs with Laravel Sanctum authentication, the main idea is to secure your API routes while keeping things simple and token-based. Sanctum gives you a lightweight way to handle authentication for SPAs (Single Page Apps), mobile apps, or even third-party services without needing OAuth servers or complex setups.

Setting up Laravel Sanctum

Before diving into API routes, make sure Sanctum is installed and configured properly. Start by installing it via Composer:

 composer require laravel/sanctum

Then publish the config and migration files:

 php artisan vendor:publish --provider="Laravel\Sanctum\SanctumServiceProvider"

Run the migrations:

 php artisan migrate

You also need to add the HasApiTokens trait to your User model:

 use Laravel\Sanctum\HasApiTokens;

class User extends Authenticatable
{
    use HasApiTokens, Notifiable;
}

This allows users to generate and manage API tokens.

Creating authenticated API routes

In Laravel, Sanctum protects routes using middleware. You can apply the auth:sanctum middleware to any route you want to secure.

For example, in your routes/api.php file:

 Route::middleware('auth:sanctum')->get('/user', function (Request $request) {
    return $request->user();
});

Make sure your routes are defined in api.php since Sanctum expects requests to come through the /api prefix by default unless you customize it.

Also, don't forget to include the Accept: application/json header in your requests — otherwise, Sanctum might not respond as expected.

Generating and managing API tokens

To let users authenticate and get an access token, create a login endpoint that issues tokens. Here's a basic flow:

1. Accept email and password from the user.
2. Authenticate the credentials.
3. Create a token and return it.

Here's a simple controller method:

 public function login(Request $request)
{
    $credentials = $request->validate([
        'email' => 'required|email',
        'password' => 'required',
    ]);

    if (Auth::attempt($credentials)) {
        $user = Auth::user();
        $token = $user->createToken('auth_token')->plainTextToken;

        return response()->json(['access_token' => $token]);
    }

    return response()->json(['error' => 'Unauthorized'], 401);
}

On the client side, store this token securely and send it in the Authorization header like so:

 Authorization: Bearer <your-token-here>

Keep in mind:

• Tokens are stored in the database under the personal_access_tokens table.
• You can scope tokens if needed, though Sanctum doesn't support scopes out of the box unless you build custom logic.
• Always invalidate tokens on logout:

 $user->currentAccessToken()->delete();

Handling CORS and SPA authentication

If you're building a Single Page Application that communicates with your Laravel backend, you'll want to set up proper CORS headers. Laravel has a built-in configuration file at config/cors.php .

Make sure you allow:

• The correct origins
• Credentials (set supports_credentials to true )
• Proper headers like Authorization , Content-Type , etc.

Sanctum supports cookie-based session authentication for SPAs too, but that requires some extra setup:

• Use the EnsureFrontendRequestsAreStateful middleware
• Make sure your frontend and backend share the same domain (or have proper CORS CSRF handling)

This part can be tricky, especially when dealing with cross-domain cookies and CSRF protection, so double-check Laravel's documentation for the latest guidance.

That's basically how you set up RESTful APIs with Laravel Sanctum authentication. It's straightforward once you understand the flow, but easy to trip over small details like headers, middleware placement, or CORS settings.

以上是用Laravel Sanctum身份驗(yàn)證建造靜止的API的詳細(xì)內(nèi)容。更多資訊請關(guān)注PHP中文網(wǎng)其他相關(guān)文章！