8

Can Laravel Fortify be used in the context of API? From what I understand, Fortify (although being headless, i.e. doesn't include a UI layer) allows us to customize Login and Register pages, but it automatically redirects to HOME page upon successful authentication. And although the HOME page is customizable, that is not how API logins normally work. It should simply return a success token in JSON format without redirects of any kind.

There is an authenticateUsing function in Fortify, but even that simply allows us to customize authentication logic and not the returned data. Redirection is still performed by Fortify.

How can I use Fortify in the context of REST API?

Note: I'm going to use it from my Vue front-end application. I'm also going to get Sanctum into the game, but before that I just wanted to see if I can do regular token-based authentication using Fortify without having to write my own login, register and logout routes and controller functions.

dotNET
  • 28,678
  • 19
  • 120
  • 206

2 Answers2

8

Authentication can either be Session-based or Token-based.

Laravel Fortify only provides the backend logic nessecery for session-based authentication and therefore is not intended for token-based API authentication.

If you need token-based API authentication, you can use either Sanctum or Passport depending on your needs. But You'll have to write a bit of code, in either case.

If you decide to go with Laravel Passport, I have a boilerplate project that might be of use: https://github.com/pktharindu/laravel-api-boilerplate-passport

P. K. Tharindu
  • 1,696
  • 3
  • 12
  • 27
  • 1
    Yep. That's exactly what's confusing. When using Fortify, we are provided with basic authentication routes and services (register, login, reset-password etc.) out-of-the-box, but as u say it is only for session-based authentication. On the other hand, Sanctum can do both session and token based authentication, but doesn't provide any authentication routes. Is my understanding correct? – dotNET Sep 24 '20 at 08:24
  • 2
    I was already using Passport in my project till Laravel 7 and had created all those authentication routes for my API. With Laravel 8, they are advising to move to Sanctum unless we have a need for full OAuth implementation, so I read the docs and got the impression that Sanctum will do token management for me and Fortify (being headless) will provide me the authentication routes and services out-of-the-box, so with these two packages in place, I'll get rid of both my custom login/logout functions as well as Passport. Looks like that understanding is not correct. – dotNET Sep 24 '20 at 08:28
  • 2
    Fortify is pretty much useless if you have a separate frontend app. You can use either Sanctum or Passport. But you'll have to set up the routing yourself. Using Sanctum makes sense if it fits your need and you are starting from scratch. But if you already have Passport installed I'd just keep it as is as moving to Sanctum doesn't provide you with any benefit over Passport. – P. K. Tharindu Sep 24 '20 at 08:42
  • Thanks. That makes sense. – dotNET Sep 24 '20 at 10:53
7

Just set 'Accept' header with 'application/json' or 'application/javascript' then fortify will response json formatted body not redirection.

by the way, use Sanctum instead of Passport for SPA is easier to keep token securely. google about where to store API token for SPA then you will find out why.

pejold
  • 81
  • 3