Sanctum Auth

Register

→ validate input → create user (hashed password) → login user automatically → return success response

Login

→ validate credentials → attempt login

IF success: → create session → return success

ELSE: → THROW error

Logout

→ destroy session → return success

Access Protected Route

IF user NOT authenticated: → return 401

ELSE: → allow access

Execution Steps

Register

1. Validate name, email, password
2. Hash password (bcrypt)
3. Create user via repository
4. Log user in
5. Return response

Login

1. Validate email & password
2. Attempt login using Auth::attempt()
3. If success → session created
4. Return success response

Logout

1. Call Auth::logout()
2. Invalidate session
3. Return success response

Example (Best Practice)

use Illuminate\Support\Facades\Auth;

public function login(array $data): void
{
    if (!Auth::attempt($data)) {
        throw new \Exception('Invalid credentials');
    }
}

Controller Example

public function login(LoginRequest $request)
{
    $this->service->login($request->validated());

    return ApiResponse::success(null, 'Login successful');
}

Route Protection

Route::middleware('auth:sanctum')->group(function () {
    Route::get('/workspaces', ...);
});

Access Auth User

$user = auth()->user();

Constraints

• Do not return token manually
• Do not use JWT (for MVP)
• Do not store auth logic in controller
• Do not bypass Sanctum middleware

Anti-Patterns

Manual Token Handling

return ['token' => $token];

Logic in Controller

Auth::attempt(...)

Skipping Middleware

// route without auth:sanctum

Expected Behavior

• User authenticated via cookies
• All protected routes require login
• Session handled automatically by browser