How to add multiple guards on lighthouse GraphQL schema?
What is guard
in Laravel?
guard
s in Laravel define how the system should store and retrieve information about your users. At a high level, this is the process of authentication using guard
s.
The default Auth middleware is \App\Http\Middleware\Authenticate.php
. There is another auth.basic middleware \Illuminate\Auth\Middleware\AuthenticateWithBasicAuth
.
How to bind a path to a Controller and middleware?
Route::get('/user/profile', "UserController@profile") // profile is a method of UserController
->middleware('auth:session,foo') // Format is 'middleware:param1, param2'
// Illuminate/Auth/Middleware/Authenticate.php
// From where is $auth passed in
public function __construct(Auth $auth)
{
$this->auth = $auth;
}
About AuthManager
How does Lighthouse authentication works?
Note that Lighthouse does not use “Authenticate.php” middleware. It uses the following middlewares:
Middleware |
|
|
---|---|---|
EncryptCookies | This is newly added to support web authentication. | New |
StartSession | This is newly added to support web authentication. | New |
AcceptJson | Always set the Accept: application/json header. | Default |
AttemptAuthentication | Attempt to authenticate the user. | Default |
The guard
s declared in the schema will be finally passed to GuardDirective.php.
// /nuwave/lighthouse/src/Auth/GuardDirective.php
protected function authenticate(array $guards): void
{
foreach ($guards as $guard) {
if ($this->auth->guard($guard)->check()) {
// @phpstan-ignore-next-line passing null works fine here
$this->auth->shouldUse($guard);
return;
}
}
$this->unauthenticated($guards);
}
schema
Do I need to set lighthouse.guard
?
It is used at line #14. If a field has no guard definition, AttemptAuthentication will try to use the guard configured in lighthouse.php. If it does not pass the check, nothing will happen. In comparison, the field pass none of the listed guards, it will fail. If it does pass the check, it will set the userResolver to use that guard. In our case, we should use web
.