Custom bearer token format returns 404 after PR #417

[RenoLooijmans]

Sanctum Version

3.2.5

Laravel Version

10.16.1

PHP Version

8.1.4

Database Driver & Version

No response

Description

After Sanctum version 3.2.1 (PR #417) a custom bearer token always returns 404 when someone tries to reach an endpoint secured with Sanctum. Logging in and retrieving the token works OK.

My model ID is an integer, but I'm using another column in the bearer token to not expose the model ID. For example a uuid-column.

I'm well aware this PR is for good reasons, but how can I reach my endpoints now with a custom bearer token ID? I've been browsing through the source files and there does not seem to be a good method as it always looks for the model ID (which is an integer in my case). Is this something which will be supported in the near future, or is my situation an edge case which is not encouraged?

Please let me know if more information is required.

Steps To Reproduce

User-model:

public function tokens(): MorphMany
{
	return $this->morphMany(Sanctum::$personalAccessTokenModel, 'tokenable')
		->withTrashed();
}

public function createToken(string $name, array $abilities = ['*']): NewAccessToken
{
	$token = $this->tokens()->create([
		'name' => $name,
		'token' => hash('sha256', $plainTextToken = Str::random(40)),
		'abilities' => $abilities,
	]);

	return new NewAccessToken($token, $token->uuid.'|'.$plainTextToken);
}

PersonalAccessToken-model

public static function findToken($token): ?PersonalAccessToken
{
	if (! str_contains($token, '|')) {
		return static::query()->where('token', hash('sha256', $token))->first();
	}

	[$uuid, $token] = explode('|', $token, 2);

	if ($instance = static::query()->where('uuid', $uuid)->first()) {
		if ($instance->tokenable_type === User::class && ! $instance->tokenable()->isActive()) {
			return null;
		}

		return hash_equals($instance->token, hash('sha256', $token)) ? $instance : null;
	}

	return null;
}

Login-controller

public function login(LoginRequest $request): JsonResponse
{
	$user = User::where('username', $request->username)->first();

	if (! $user || ! Hash::check($request->password, $user->password)) {
		throw ValidationException::withMessages([
			'username' => [trans('auth.failed')],
		])->status(Response::HTTP_NOT_FOUND);
	}

	if (! $user->isActive()) {
		throw ValidationException::withMessages([
			'username' => [__('Je account is (nog) niet geactiveerd.')],
		])->status(404);
	}

	return response()->json([
		'token' => $user->createToken($request->device_name)->plainTextToken,
		'device' => [
			'name' => $request->device_name,
		],
		'user' => [
			'uuid' => $user->uuid,
			'username' => $user->username,
		],
	]);
}

[crynobone]

Hi there,

Thanks for reporting the problem you are encountering, but it looks like this is a question which may be better suited for a support channel. We only use this issue tracker for reporting bugs with the library itself. If you have a question on how to use functionality provided by this repository you can try one of the following channels:

• Laracasts Forums
• Laravel.io Forums
• StackOverflow
• Discord
• Larachat
• IRC

However, this issue will not be locked and everyone is still free to discuss solutions to your problem!

Thanks.