LICENSE.md000064400000002063150250200260006141 0ustar00The MIT License (MIT) Copyright (c) Taylor Otwell Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. composer.json000064400000002612150250200260007257 0ustar00{ "name": "laravel/sanctum", "description": "Laravel Sanctum provides a featherweight authentication system for SPAs and simple APIs.", "keywords": ["laravel", "sanctum", "auth"], "license": "MIT", "support": { "issues": "https://github.com/laravel/sanctum/issues", "source": "https://github.com/laravel/sanctum" }, "authors": [ { "name": "Taylor Otwell", "email": "taylor@laravel.com" } ], "require": { "php": "^8.0.2", "ext-json": "*", "illuminate/console": "^9.21|^10.0", "illuminate/contracts": "^9.21|^10.0", "illuminate/database": "^9.21|^10.0", "illuminate/support": "^9.21|^10.0" }, "require-dev": { "mockery/mockery": "^1.0", "orchestra/testbench": "^7.0|^8.0", "phpunit/phpunit": "^9.3" }, "autoload": { "psr-4": { "Laravel\\Sanctum\\": "src/" } }, "autoload-dev": { "psr-4": { "Laravel\\Sanctum\\Tests\\": "tests/" } }, "extra": { "branch-alias": { "dev-master": "3.x-dev" }, "laravel": { "providers": [ "Laravel\\Sanctum\\SanctumServiceProvider" ] } }, "config": { "sort-packages": true }, "minimum-stability": "dev", "prefer-stable": true } database/migrations/2019_12_14_000001_create_personal_access_tokens_table.php000064400000001530150250200260022466 0ustar00id(); $table->morphs('tokenable'); $table->string('name'); $table->string('token', 64)->unique(); $table->text('abilities')->nullable(); $table->timestamp('last_used_at')->nullable(); $table->timestamp('expires_at')->nullable(); $table->timestamps(); }); } /** * Reverse the migrations. */ public function down(): void { Schema::dropIfExists('personal_access_tokens'); } }; src/HasApiTokens.php000064400000003735150250200260010375 0ustar00morphMany(Sanctum::$personalAccessTokenModel, 'tokenable'); } /** * Determine if the current API token has a given scope. * * @param string $ability * @return bool */ public function tokenCan(string $ability) { return $this->accessToken && $this->accessToken->can($ability); } /** * Create a new personal access token for the user. * * @param string $name * @param array $abilities * @param \DateTimeInterface|null $expiresAt * @return \Laravel\Sanctum\NewAccessToken */ public function createToken(string $name, array $abilities = ['*'], DateTimeInterface $expiresAt = null) { $token = $this->tokens()->create([ 'name' => $name, 'token' => hash('sha256', $plainTextToken = Str::random(40)), 'abilities' => $abilities, 'expires_at' => $expiresAt, ]); return new NewAccessToken($token, $token->getKey().'|'.$plainTextToken); } /** * Get the access token currently associated with the user. * * @return \Laravel\Sanctum\Contracts\HasAbilities */ public function currentAccessToken() { return $this->accessToken; } /** * Set the current access token for the user. * * @param \Laravel\Sanctum\Contracts\HasAbilities $accessToken * @return $this */ public function withAccessToken($accessToken) { $this->accessToken = $accessToken; return $this; } } src/Console/Commands/PruneExpired.php000064400000002760150250200260013616 0ustar00option('hours'); $this->components->task( 'Pruning tokens with expired expires_at timestamps', fn () => $model::where('expires_at', '<', now()->subHours($hours))->delete() ); if ($expiration = config('sanctum.expiration')) { $this->components->task( 'Pruning tokens with expired expiration value based on configuration file', fn () => $model::where('created_at', '<', now()->subMinutes($expiration + ($hours * 60)))->delete() ); } else { $this->components->warn('Expiration value not specified in configuration file.'); } $this->components->info("Tokens expired for more than [$hours hours] pruned successfully."); return 0; } } src/TransientToken.php000064400000001015150250200260011001 0ustar00shouldIgnoreMissing(false); if (in_array('*', $abilities)) { $token->shouldReceive('can')->withAnyArgs()->andReturn(true); } else { foreach ($abilities as $ability) { $token->shouldReceive('can')->with($ability)->andReturn(true); } } $user->withAccessToken($token); if (isset($user->wasRecentlyCreated) && $user->wasRecentlyCreated) { $user->wasRecentlyCreated = false; } app('auth')->guard($guard)->setUser($user); app('auth')->shouldUse($guard); return $user; } /** * Set the personal access token model name. * * @param string $model * @return void */ public static function usePersonalAccessTokenModel($model) { static::$personalAccessTokenModel = $model; } /** * Specify a callback that should be used to fetch the access token from the request. * * @param callable $callback * @return void */ public static function getAccessTokenFromRequestUsing(callable $callback) { static::$accessTokenRetrievalCallback = $callback; } /** * Specify a callback that should be used to authenticate access tokens. * * @param callable $callback * @return void */ public static function authenticateAccessTokensUsing(callable $callback) { static::$accessTokenAuthenticationCallback = $callback; } /** * Determine if Sanctum's migrations should be run. * * @return bool */ public static function shouldRunMigrations() { return static::$runsMigrations; } /** * Configure Sanctum to not register its migrations. * * @return static */ public static function ignoreMigrations() { static::$runsMigrations = false; return new static; } /** * Get the token model class name. * * @return string */ public static function personalAccessTokenModel() { return static::$personalAccessTokenModel; } } src/Events/TokenAuthenticated.php000064400000000672150250200260013070 0ustar00token = $token; } } src/Guard.php000064400000012216150250200260007100 0ustar00auth = $auth; $this->expiration = $expiration; $this->provider = $provider; } /** * Retrieve the authenticated user for the incoming request. * * @param \Illuminate\Http\Request $request * @return mixed */ public function __invoke(Request $request) { foreach (Arr::wrap(config('sanctum.guard', 'web')) as $guard) { if ($user = $this->auth->guard($guard)->user()) { return $this->supportsTokens($user) ? $user->withAccessToken(new TransientToken) : $user; } } if ($token = $this->getTokenFromRequest($request)) { $model = Sanctum::$personalAccessTokenModel; $accessToken = $model::findToken($token); if (! $this->isValidAccessToken($accessToken) || ! $this->supportsTokens($accessToken->tokenable)) { return; } $tokenable = $accessToken->tokenable->withAccessToken( $accessToken ); event(new TokenAuthenticated($accessToken)); if (method_exists($accessToken->getConnection(), 'hasModifiedRecords') && method_exists($accessToken->getConnection(), 'setRecordModificationState')) { tap($accessToken->getConnection()->hasModifiedRecords(), function ($hasModifiedRecords) use ($accessToken) { $accessToken->forceFill(['last_used_at' => now()])->save(); $accessToken->getConnection()->setRecordModificationState($hasModifiedRecords); }); } else { $accessToken->forceFill(['last_used_at' => now()])->save(); } return $tokenable; } } /** * Determine if the tokenable model supports API tokens. * * @param mixed $tokenable * @return bool */ protected function supportsTokens($tokenable = null) { return $tokenable && in_array(HasApiTokens::class, class_uses_recursive( get_class($tokenable) )); } /** * Get the token from the request. * * @param \Illuminate\Http\Request $request * @return string|null */ protected function getTokenFromRequest(Request $request) { if (is_callable(Sanctum::$accessTokenRetrievalCallback)) { return (string) (Sanctum::$accessTokenRetrievalCallback)($request); } $token = $request->bearerToken(); return $this->isValidBearerToken($token) ? $token : null; } /** * Determine if the bearer token is in the correct format. * * @param string|null $token * @return bool */ protected function isValidBearerToken(string $token = null) { if (! is_null($token) && str_contains($token, '|')) { $model = new Sanctum::$personalAccessTokenModel; if ($model->getKeyType() === 'int') { [$id, $token] = explode('|', $token, 2); return ctype_digit($id) && ! empty($token); } } return ! empty($token); } /** * Determine if the provided access token is valid. * * @param mixed $accessToken * @return bool */ protected function isValidAccessToken($accessToken): bool { if (! $accessToken) { return false; } $isValid = (! $this->expiration || $accessToken->created_at->gt(now()->subMinutes($this->expiration))) && (! $accessToken->expires_at || ! $accessToken->expires_at->isPast()) && $this->hasValidProvider($accessToken->tokenable); if (is_callable(Sanctum::$accessTokenAuthenticationCallback)) { $isValid = (bool) (Sanctum::$accessTokenAuthenticationCallback)($accessToken, $isValid); } return $isValid; } /** * Determine if the tokenable model matches the provider's model type. * * @param \Illuminate\Database\Eloquent\Model $tokenable * @return bool */ protected function hasValidProvider($tokenable) { if (is_null($this->provider)) { return true; } $model = config("auth.providers.{$this->provider}.model"); return $tokenable instanceof $model; } } src/NewAccessToken.php000064400000002427150250200260010715 0ustar00accessToken = $accessToken; $this->plainTextToken = $plainTextToken; } /** * Get the instance as an array. * * @return array */ public function toArray() { return [ 'accessToken' => $this->accessToken, 'plainTextToken' => $this->plainTextToken, ]; } /** * Convert the object to its JSON representation. * * @param int $options * @return string */ public function toJson($options = 0) { return json_encode($this->toArray(), $options); } } src/PersonalAccessToken.php000064400000004016150250200260011743 0ustar00 'json', 'last_used_at' => 'datetime', 'expires_at' => 'datetime', ]; /** * The attributes that are mass assignable. * * @var array */ protected $fillable = [ 'name', 'token', 'abilities', 'expires_at', ]; /** * The attributes that should be hidden for serialization. * * @var array */ protected $hidden = [ 'token', ]; /** * Get the tokenable model that the access token belongs to. * * @return \Illuminate\Database\Eloquent\Relations\MorphTo */ public function tokenable() { return $this->morphTo('tokenable'); } /** * Find the token instance matching the given token. * * @param string $token * @return static|null */ public static function findToken($token) { if (strpos($token, '|') === false) { return static::where('token', hash('sha256', $token))->first(); } [$id, $token] = explode('|', $token, 2); if ($instance = static::find($id)) { return hash_equals($instance->token, hash('sha256', $token)) ? $instance : null; } } /** * Determine if the token has a given ability. * * @param string $ability * @return bool */ public function can($ability) { return in_array('*', $this->abilities) || array_key_exists($ability, array_flip($this->abilities)); } /** * Determine if the token is missing a given ability. * * @param string $ability * @return bool */ public function cant($ability) { return ! $this->can($ability); } } src/Http/Middleware/CheckForAnyAbility.php000064400000001654150250200260014510 0ustar00user() || ! $request->user()->currentAccessToken()) { throw new AuthenticationException; } foreach ($abilities as $ability) { if ($request->user()->tokenCan($ability)) { return $next($request); } } throw new MissingAbilityException($abilities); } } src/Http/Middleware/CheckForAnyScope.php000064400000001530150250200260014155 0ustar00handle($request, $next, ...$scopes); } catch (\Laravel\Sanctum\Exceptions\MissingAbilityException $e) { throw new MissingScopeException($e->abilities()); } } } src/Http/Middleware/CheckAbilities.php000064400000001650150250200260013675 0ustar00user() || ! $request->user()->currentAccessToken()) { throw new AuthenticationException; } foreach ($abilities as $ability) { if (! $request->user()->tokenCan($ability)) { throw new MissingAbilityException($ability); } } return $next($request); } } src/Http/Middleware/CheckScopes.php000064400000001513150250200260013222 0ustar00handle($request, $next, ...$scopes); } catch (\Laravel\Sanctum\Exceptions\MissingAbilityException $e) { throw new MissingScopeException($e->abilities()); } } } src/Http/Middleware/EnsureFrontendRequestsAreStateful.php000064400000004345150250200260017673 0ustar00configureSecureCookieSessions(); return (new Pipeline(app()))->send($request)->through(static::fromFrontend($request) ? [ function ($request, $next) { $request->attributes->set('sanctum', true); return $next($request); }, config('sanctum.middleware.encrypt_cookies', \Illuminate\Cookie\Middleware\EncryptCookies::class), \Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse::class, \Illuminate\Session\Middleware\StartSession::class, config('sanctum.middleware.verify_csrf_token', \Illuminate\Foundation\Http\Middleware\VerifyCsrfToken::class), ] : [])->then(function ($request) use ($next) { return $next($request); }); } /** * Configure secure cookie sessions. * * @return void */ protected function configureSecureCookieSessions() { config([ 'session.http_only' => true, 'session.same_site' => 'lax', ]); } /** * Determine if the given request is from the first-party application frontend. * * @param \Illuminate\Http\Request $request * @return bool */ public static function fromFrontend($request) { $domain = $request->headers->get('referer') ?: $request->headers->get('origin'); if (is_null($domain)) { return false; } $domain = Str::replaceFirst('https://', '', $domain); $domain = Str::replaceFirst('http://', '', $domain); $domain = Str::endsWith($domain, '/') ? $domain : "{$domain}/"; $stateful = array_filter(config('sanctum.stateful', [])); return Str::is(Collection::make($stateful)->map(function ($uri) { return trim($uri).'/*'; })->all(), $domain); } } src/Http/Controllers/CsrfCookieController.php000064400000001103150250200260015347 0ustar00expectsJson()) { return new JsonResponse(null, 204); } return new Response('', 204); } } src/Exceptions/MissingScopeException.php000064400000001446150250200260014444 0ustar00scopes = Arr::wrap($scopes); } /** * Get the scopes that the user did not have. * * @return array */ public function scopes() { return $this->scopes; } } src/Exceptions/MissingAbilityException.php000064400000001502150250200260014761 0ustar00abilities = Arr::wrap($abilities); } /** * Get the abilities that the user did not have. * * @return array */ public function abilities() { return $this->abilities; } } src/SanctumServiceProvider.php000064400000007064150250200260012511 0ustar00 array_merge([ 'driver' => 'sanctum', 'provider' => null, ], config('auth.guards.sanctum', [])), ]); if (! app()->configurationIsCached()) { $this->mergeConfigFrom(__DIR__.'/../config/sanctum.php', 'sanctum'); } } /** * Bootstrap any application services. * * @return void */ public function boot() { if (app()->runningInConsole()) { $this->registerMigrations(); $this->publishes([ __DIR__.'/../database/migrations' => database_path('migrations'), ], 'sanctum-migrations'); $this->publishes([ __DIR__.'/../config/sanctum.php' => config_path('sanctum.php'), ], 'sanctum-config'); $this->commands([ PruneExpired::class, ]); } $this->defineRoutes(); $this->configureGuard(); $this->configureMiddleware(); } /** * Register Sanctum's migration files. * * @return void */ protected function registerMigrations() { if (Sanctum::shouldRunMigrations()) { return $this->loadMigrationsFrom(__DIR__.'/../database/migrations'); } } /** * Define the Sanctum routes. * * @return void */ protected function defineRoutes() { if (app()->routesAreCached() || config('sanctum.routes') === false) { return; } Route::group(['prefix' => config('sanctum.prefix', 'sanctum')], function () { Route::get( '/csrf-cookie', CsrfCookieController::class.'@show' )->middleware('web')->name('sanctum.csrf-cookie'); }); } /** * Configure the Sanctum authentication guard. * * @return void */ protected function configureGuard() { Auth::resolved(function ($auth) { $auth->extend('sanctum', function ($app, $name, array $config) use ($auth) { return tap($this->createGuard($auth, $config), function ($guard) { app()->refresh('request', $guard, 'setRequest'); }); }); }); } /** * Register the guard. * * @param \Illuminate\Contracts\Auth\Factory $auth * @param array $config * @return RequestGuard */ protected function createGuard($auth, $config) { return new RequestGuard( new Guard($auth, config('sanctum.expiration'), $config['provider']), request(), $auth->createUserProvider($config['provider'] ?? null) ); } /** * Configure the Sanctum middleware and priority. * * @return void */ protected function configureMiddleware() { $kernel = app()->make(Kernel::class); $kernel->prependToMiddlewarePriority(EnsureFrontendRequestsAreStateful::class); } } README.md000064400000003020150250200260006006 0ustar00

Logo Laravel Sanctum

Build Status Total Downloads Latest Stable Version License

## Introduction Laravel Sanctum provides a featherweight authentication system for SPAs and simple APIs. ## Official Documentation Documentation for Sanctum can be found on the [Laravel website](https://laravel.com/docs/sanctum). ## Contributing Thank you for considering contributing to Sanctum! The contribution guide can be found in the [Laravel documentation](https://laravel.com/docs/contributions). ## Code of Conduct In order to ensure that the Laravel community is welcoming to all, please review and abide by the [Code of Conduct](https://laravel.com/docs/contributions#code-of-conduct). ## Security Vulnerabilities Please review [our security policy](https://github.com/laravel/sanctum/security/policy) on how to report security vulnerabilities. ## License Laravel Sanctum is open-sourced software licensed under the [MIT license](LICENSE.md). config/sanctum.php000064400000004366150250200260010175 0ustar00 explode(',', env('SANCTUM_STATEFUL_DOMAINS', sprintf( '%s%s', 'localhost,localhost:3000,127.0.0.1,127.0.0.1:8000,::1', Sanctum::currentApplicationUrlWithPort() ))), /* |-------------------------------------------------------------------------- | Sanctum Guards |-------------------------------------------------------------------------- | | This array contains the authentication guards that will be checked when | Sanctum is trying to authenticate a request. If none of these guards | are able to authenticate the request, Sanctum will use the bearer | token that's present on an incoming request for authentication. | */ 'guard' => ['web'], /* |-------------------------------------------------------------------------- | Expiration Minutes |-------------------------------------------------------------------------- | | This value controls the number of minutes until an issued token will be | considered expired. If this value is null, personal access tokens do | not expire. This won't tweak the lifetime of first-party sessions. | */ 'expiration' => null, /* |-------------------------------------------------------------------------- | Sanctum Middleware |-------------------------------------------------------------------------- | | When authenticating your first-party SPA with Sanctum you may need to | customize some of the middleware Sanctum uses while processing the | request. You may change the middleware listed below as required. | */ 'middleware' => [ 'verify_csrf_token' => App\Http\Middleware\VerifyCsrfToken::class, 'encrypt_cookies' => App\Http\Middleware\EncryptCookies::class, ], ]; UPGRADE.md000064400000001175150250200260006151 0ustar00# Upgrade Guide ## Upgrading To 3.0 From 2.x ### Minimum Versions The following dependency versions have been updated: - The minimum PHP version is now v8.0.2 - The minimum Laravel version is now v9.21 ### New `expires_at` Column Sanctum now supports expiring tokens. To support this feature, a new `expires_at` column must be added to your application's `personal_access_tokens` table. To add the column to your table, create a migration with the following schema change: ```php Schema::table('personal_access_tokens', function (Blueprint $table) { $table->timestamp('expires_at')->nullable()->after('last_used_at'); }); ```