[auth:api ] without api token on request , system allows to login

[subakarank]

    $credential = [
        'api_token' => $request->input('api_token')
    ];
    if(Auth::guard('api')->validate($credential))
    {
        echo 'logged in ';
    }
    else
    {
        echo 'login failed ';
    }

http://localhost:8080/laravel/user/show. Here I never send api_token=xxxxxx on the request. but system print "logged in " messge

how is it possible?

[srmklive]

Never came across this issue. Would need a more concrete example that depicts this issue clearly.

[subakarank]

Auth.php

    'guards' => [
    'web' => [
        'driver' => 'session',
        'provider' => 'users',
    ],

    'api' => [
        'driver' => 'token',
        'provider' => 'users',
    ],
],

`

I use default auth settings. No any custom settings

If I send ?api_token=(no_value_here) then system throw login error message. But If I send the request without the key(api_token) system shows logged in message

[subakarank]

Found the issue. I have set null for api_token in database. So system take null user record and logged in . I set the field to not null and unique..

Anyway thanks for your comment.

[srmklive]

@subakarank i tried this with api_token set as null, and tried the following code:

    $credential = [
        'api_token' => $request->input('api_token')
    ];

    if(auth()->guard('api')->validate($credential))
    {
        echo 'logged in ';
    }
    else
    {
        echo 'login failed ';
    }

If i passed a null api_token value, it always showed me the message login failed.

[subakarank]

@srmklive Thanks for your reply..
You set null for api_token in database and don't send the api_token in request. then you run this script it will show "logged in " message. ( Note: don't do any validation )

null request against with null in database .. then it is true and then retrieve the user information.
by the way I set null for api_token in database is wrong . But laravel cannot accept null credential to check with database. I think I reopen this isuue and let laravel team have look this. I feel that it needs to fix somehow

[srmklive]

@subakarank i didn't do any validation. I can't replicate the issue you are reporting.

[subakarank]

Did you set null for any one of the user's api_token? pls set null then try

[srmklive]

@subakarank I am able to replicate the issue you are reporting.

[subakarank]

on request don't send the query name api_token .
Example : http://localhost:8080/laravel/user/show

then run the following query

$credential = [ 'api_token' => $request->input('api_token') ]; if(auth()->guard('api')->validate($credential)) { echo 'logged in '; } else { echo 'login failed '; }

[subakarank]

If you think everything are fine, then I close this issue. Am sure that I don't do any additional settings for auth. I found that issue that it is the null value. After I fix validation and null value then it works fine for me.

Anyway thanks for your comments and remark

[subakarank]

@srmklive
Don't even send the name(key) api_token on request and then try.