app\\Http\\Kernel.php<\/code> insert following lines:<\/p>\n\n\n\n 'api' => [
\\App\\Http\\Middleware\\EncryptCookies::class,
\\Illuminate\\Cookie\\Middleware\\AddQueuedCookiesToResponse::class,
\\Illuminate\\Session\\Middleware\\StartSession::class,
\\Laravel\\Passport\\Http\\Middleware\\CreateFreshApiToken::class,
...
], <\/pre>\n\n\n\nCreateFreshApiToken<\/strong> middleware will generate a JWT access token, create a cookie with it + CSRF token of current session + an expiration date and add it to the response.
EncryptCookies<\/strong> will ensure that any incoming or outgoing cookies will be encrypted so the client cannot see the actual value of it.
AddQueuedCookiesToResponse <\/strong>will attach the cookie to our response.
StartSession<\/strong> will give us a session based on the cookie. This way we can access user’s data from it.<\/p>\n\n\n\nMake sure all 4 classes are inserted above: 'throttle:60,1'<\/code> and 'bindings'<\/code>.<\/p>\n\n\n\nHere comes the twist<\/h2>\n\n\n\n
If you take a look inside CreateFreshApiToken<\/strong> class, you will find the following method:<\/p>\n\n\n\n
protected function requestShouldReceiveFreshToken($request)
{
return $request->isMethod('GET') && $request->user($this->guard);
} <\/pre>\n\n\n\nUntil now I haven’t find a good reason for checking if the request method is “GET” (Later edit<\/strong>: I’ve found one. Maybe will discuss it in a further post) We need to give the user a valid cookie as soon as he logs in. And for oblivious reasons the login and register methods should always be a “POST”. So I created a CustomCreateApiToken<\/strong> class and override the method as follows:<\/p>\n\n\n\nuse Laravel\\Passport\\Http\\Middleware\\CreateFreshApiToken as Middleware;
class CustomCreateApiToken extends Middleware
{
\/**
* Determine if the request should receive a fresh token.
*
* @param \\Illuminate\\Http\\Request $request
* @return bool
*\/
protected function requestShouldReceiveFreshToken($request)
{
return $request->user($this->guard);
}
}
<\/pre>\n\n\n\n