<?php
namespace App\Http\Controllers\Auth;
use App\Http\Controllers\Controller;
use App\Models\User;
use Illuminate\Http\Request;
use Illuminate\Support\Facades\Hash;
use Illuminate\Validation\ValidationException;
class LoginController extends Controller
{
public function login(Request $request)
{
$request->validate([
'email' => ['required', 'email'],
'password' => ['required'],
'device_name' => ['required'],
]);
$user = User::where('email', $request->email)->first();
if (!$user || !Hash::check($request->password, $user->password)) {
throw ValidationException::withMessages([
'email' => ['The provided credentials are incorrect.'],
]);
}
// Create token with abilities
$token = $user->createToken(
$request->device_name,
['posts:read', 'posts:write']
)->plainTextToken;
return response()->json([
'token' => $token,
'user' => $user,
]);
}
public function logout(Request $request)
{
// Revoke current token
$request->user()->currentAccessToken()->delete();
return response()->json(['message' => 'Logged out successfully']);
}
public function logoutAll(Request $request)
{
// Revoke all user's tokens
$request->user()->tokens()->delete();
return response()->json(['message' => 'Logged out from all devices']);
}
}
<?php
use Illuminate\Support\Facades\Route;
Route::post('/login', [LoginController::class, 'login']);
Route::middleware('auth:sanctum')->group(function () {
Route::get('/user', fn (Request $request) => $request->user());
Route::post('/logout', [LoginController::class, 'logout']);
Route::get('/posts', [PostController::class, 'index']);
Route::middleware('ability:posts:write')->group(function () {
Route::post('/posts', [PostController::class, 'store']);
Route::put('/posts/{post}', [PostController::class, 'update']);
});
});
<?php
// In controller
public function store(Request $request)
{
if ($request->user()->tokenCan('posts:write')) {
// User has permission
}
// Or use middleware
}
Laravel Sanctum provides lightweight API authentication for SPAs and mobile apps. For SPAs on the same domain, Sanctum uses Laravel's session cookies with CSRF protection. For mobile apps or third-party clients, it issues API tokens stored in a personal_access_tokens table. I protect API routes with the auth:sanctum middleware. Users authenticate via login endpoints that set cookies or return tokens. Token abilities scope permissions—read-only vs full access. The currentAccessToken() method retrieves the token for ability checks. Sanctum is simpler than OAuth for first-party applications while still secure. It handles token expiration, revocation, and multiple tokens per user for different devices.
