我正在尝试在同一个 Laravel 应用程序中为 Web 和 API 创建身份验证。但是网络身份验证无法正常工作...当我从 .env 文件中删除它时,我遇到了 SESSION_DOMAIN 问题,然后两个身份验证都工作正常,但是当我将其保留到 .env 文件中时,网络身份验证无法正常工作,收到 419 |页面过期错误。
APP_NAME=Laravel APP_ENV=local APP_KEY=base64:ZSiB/A6U0zU8Vn2x8gbNnU1prcw90xQBfqm3JS9qp+I= APP_DEBUG=true APP_URL=http://localhost SANCTUM_STATEFUL_DOMAINS=localhost:3000 SESSION_DOMAIN=localhost LOG_CHANNEL=stack LOG_DEPRECATIONS_CHANNEL=null LOG_LEVEL=debug DB_CONNECTION=mysql DB_HOST=localhost DB_PORT=3306 DB_DATABASE=xpert_test DB_USERNAME=root DB_PASSWORD= BROADCAST_DRIVER=log CACHE_DRIVER=file FILESYSTEM_DISK=local QUEUE_CONNECTION=sync SESSION_DRIVER=cookie SESSION_LIFETIME=120 MEMCACHED_HOST=127.0.0.1 REDIS_HOST=127.0.0.1 REDIS_PASSWORD=null REDIS_PORT=6379 MAIL_MAILER=smtp MAIL_HOST=mailhog MAIL_PORT=1025 MAIL_USERNAME=null MAIL_PASSWORD=null MAIL_ENCRYPTION=null MAIL_FROM_ADDRESS="hello@example.com" MAIL_FROM_NAME="${APP_NAME}" AWS_ACCESS_KEY_ID= AWS_SECRET_ACCESS_KEY= AWS_DEFAULT_REGION=us-east-1 AWS_BUCKET= AWS_USE_PATH_STYLE_ENDPOINT=false PUSHER_APP_ID= PUSHER_APP_KEY= PUSHER_APP_SECRET= PUSHER_APP_CLUSTER=mt1 MIX_PUSHER_APP_KEY="${PUSHER_APP_KEY}" MIX_PUSHER_APP_CLUSTER="${PUSHER_APP_CLUSTER}"
这是我的 .env 文件代码
<?php namespace AppHttpControllersAPI; use AppHttpControllersController; use AppModelsUser; use IlluminateHttpRequest; use IlluminateSupportFacadesAuth; use IlluminateSupportFacadesHash; use IlluminateSupportFacadesValidator; class UserController extends Controller { // user registration public function register(Request $request) { $validator = Validator::make($request->all(), [ 'name' => 'required|string|max:255', 'email' => 'required|string|email|unique:users,email', 'password' => 'required|string|min:6', 'cpassword' => 'required|string|min:6|same:password', ], [ 'cpassword.same' => 'Password confirmation does not match.', ]); if ($validator->fails()) { return response()->json([ 'success' => false, 'errors' => $validator->errors() ], 200); } $user = User::create([ 'name' => $request->name, 'email' => $request->email, 'password' => Hash::make($request->password), 'role' => 0 ]); $request->session()->regenerate(); return response()->json([ 'success' => true, 'user' => $user, 'token' => $user->createToken('API Token')->plainTextToken ], 200); } // user login public function login(Request $request) { $validator = Validator::make($request->all(), [ 'email' => 'required|string|email', 'password' => 'required|string|min:5' ]); if ($validator->fails()) { return response()->json([ 'validationError' => true, 'message' => $validator->errors() ], 200); } $creditentials = [ 'email' => $request->email, 'password' => $request->password, 'role' => 0 ]; if (!Auth::attempt($creditentials)) { return response()->json([ 'success' => false, 'message' => 'Invalid credentials' ], 200); } $user = User::where('email', $request->email)->first(); $request->session()->regenerate(); return response()->json([ 'success' => true, 'user' => Auth::user(), 'token' => $user->createToken('API Token')->plainTextToken ], 200); } // user profile public function profile() { return response()->json([ 'success' => true, 'user' => Auth::user() ], 200); } public function logout(Request $request) { $request->user()->tokens()->delete(); $request->session()->invalidate(); $request->session()->regenerateToken(); return response()->json([ 'success' => true, 'message' => 'User loggedOut successfully' ], 200); } }
这是我的 API 授权代码
<?php namespace AppHttpControllers; use AppModelsProduct; use AppModelsQuestion; use AppModelsSection; use AppModelsTest; use IlluminateHttpRequest; class AuthController extends Controller { // view login page public function index() { return view('index'); } // view dashboard page public function adminDashboard() { $products_count = Product::count(); $sections_count = Section::count(); $tests_count = Test::count(); $questions_count = Question::count(); return view('admin.dashboard', [ 'products_count' => $products_count, 'sections_count' => $sections_count, 'tests_count' => $tests_count, 'questions_count' => $questions_count, ]); } // handle admin login public function adminLogin(Request $request) { $request->validate([ 'email' => 'required|email', 'password' => 'required|max:50|min:5' ]); $credentials = $request->only(['email', 'password']); if (auth()->attempt($credentials)) { $request->session()->regenerate(); if (auth()->user()->role === 1) { return redirect()->route('admin.dashboard'); } // else { // return redirect()->route('super.dashboard'); // } } return redirect()->back()->withErrors(['message' => 'Invalid credentials']); } // handle admin logout public function logout(Request $request) { auth()->logout(); $request->session()->invalidate(); return redirect()->route('admin.login.page'); } }
这是我的网络身份验证代码
Route::middleware('guest')->group(function () { Route::get('/', [AuthController::class, 'index'])->name('admin.login.page'); Route::post('/admin-login', [AuthController::class, 'adminLogin'])->name('admin.login'); }); Route::middleware('auth')->group(function () { Route::get('/logout', [AuthController::class, 'logout'])->name('logout'); Route::get('/dashboard', [AuthController::class, 'adminDashboard'])->name('admin.dashboard'); });
这是我的 web.php 路由文件
Route::prefix('v1')->group(function () { // unprotected routes Route::post('/login', [UserController::class, 'login']); Route::post('/register', [UserController::class, 'register']); // protected routes Route::middleware(['auth:sanctum'])->group(function () { Route::get('/profile', [UserController::class, 'profile']); Route::post('/logout', [UserController::class, 'logout']); }); });
这是 api.php 文件代码
分享更多代码。
Laravel 中的 419 错误页面通常与 CSRF 相关,哪个请求可能会被视为跨站请求伪造攻击。