Implement session based authentication with Sanctum

README.md

@@ -27,6 +27,38 @@ php artisan serve
 
 Access [the GraphiQL UI](https://github.com/graphql/graphiql/blob/main/packages/graphiql/README.md) at `/graphiql`.
 
+In order to log in through Sanctum, find out the email of the seeded user:
+
+```graphql
+{
+  users {
+    data {
+      email
+    }
+  }
+}
+```
+
+Then, log in with the following mutation:
+
+```graphql
+mutation {
+  login(email: "<email>", password: "password") {
+    id
+  }
+}
+```
+
+To validate you are in fact logged in, run the following query:
+
+```graphql
+{
+  me {
+    id
+  }
+}
+```
+
 ## Minimalism
 
 In order to keep maintenance as simple as possible,

app/GraphQL/Mutations/Login.php

@@ -0,0 +1,35 @@
+<?php
+
+namespace App\GraphQL\Mutations;
+
+use App\Models\User;
+use GraphQL\Error\Error;
+use Illuminate\Support\Arr;
+use Illuminate\Support\Facades\Auth;
+
+final class Login
+{
+    /**
+     * @param  null  $_
+     * @param  array{email: string, password: string}  $args
+     */
+    public function __invoke($_, array $args): User
+    {
+        $guardConfig = config('sanctum.guard');
+        assert(is_array($guardConfig));
+
+        $guardName = Arr::first($guardConfig);
+        assert(is_string($guardName));
+
+        $guard = Auth::guard($guardName);
+
+        if( ! $guard->attempt($args)) {
+            throw new Error('Invalid credentials.');
+        }
+
+        $user = $guard->user();
+        assert($user instanceof User, 'must receive User after successful login');
+
+        return $user;
+    }
+}

app/GraphQL/Mutations/Logout.php

@@ -0,0 +1,27 @@
+<?php
+
+namespace App\GraphQL\Mutations;
+
+use App\Models\User;
+use Illuminate\Support\Arr;
+use Illuminate\Support\Facades\Auth;
+
+final class Logout
+{
+    public function __invoke(): ?User
+    {
+        $guardConfig = config('sanctum.guard');
+        assert(is_array($guardConfig));
+
+        $guardName = Arr::first($guardConfig);
+        assert(is_string($guardName));
+
+        $guard = Auth::guard($guardName);
+
+        $user = $guard->user();
+
+        $guard->logout();
+
+        return $user;
+    }
+}

composer.json

@@ -12,6 +12,7 @@
     "require": {
         "php": "^8.2",
         "laravel/framework": "^11",
+        "laravel/sanctum": "^4",
         "laravel/tinker": "^2.9",
         "mll-lab/laravel-graphiql": "^3",
         "nuwave/lighthouse": "^6"

config/graphiql.php

@@ -0,0 +1,64 @@
+<?php declare(strict_types=1);
+
+return [
+    /*
+    |--------------------------------------------------------------------------
+    | Routes configuration
+    |--------------------------------------------------------------------------
+    |
+    | Set the key as URI at which the GraphiQL UI can be viewed,
+    | and add any additional configuration for the route.
+    |
+    | You can add multiple routes pointing to different GraphQL endpoints.
+    |
+    */
+
+    'routes' => [
+        '/graphiql' => [
+            'name' => 'graphiql',
+            'middleware' => ['web'],
+            // 'prefix' => '',
+            // 'domain' => 'graphql.' . env('APP_DOMAIN', 'localhost'),
+
+            /*
+            |--------------------------------------------------------------------------
+            | Default GraphQL endpoint
+            |--------------------------------------------------------------------------
+            |
+            | The default endpoint that the GraphiQL UI is set to.
+            | It assumes you are running GraphQL on the same domain
+            | as GraphiQL, but can be set to any URL.
+            |
+            */
+
+            'endpoint' => '/graphql',
+
+            /*
+            |--------------------------------------------------------------------------
+            | Subscription endpoint
+            |--------------------------------------------------------------------------
+            |
+            | The default subscription endpoint the GraphiQL UI uses to connect to.
+            | Tries to connect to the `endpoint` value if `null` as ws://{{endpoint}}
+            |
+            | Example: `ws://your-endpoint` or `wss://your-endpoint`
+            |
+            */
+
+            'subscription-endpoint' => env('GRAPHIQL_SUBSCRIPTION_ENDPOINT', null),
+        ],
+    ],
+
+    /*
+    |--------------------------------------------------------------------------
+    | Control GraphiQL availability
+    |--------------------------------------------------------------------------
+    |
+    | Control if the GraphiQL UI is accessible at all.
+    | This allows you to disable it in certain environments,
+    | for example you might not want it active in production.
+    |
+    */
+
+    'enabled' => env('GRAPHIQL_ENABLED', true),
+];

config/lighthouse.php

@@ -0,0 +1,54 @@
+<?php declare(strict_types=1);
+
+return [
+    /*
+    |--------------------------------------------------------------------------
+    | Route Configuration
+    |--------------------------------------------------------------------------
+    |
+    | Controls the HTTP route that your GraphQL server responds to.
+    | You may set `route` => false, to disable the default route
+    | registration and take full control.
+    |
+    */
+
+    'route' => [
+        /*
+         * The URI the endpoint responds to, e.g. mydomain.com/graphql.
+         */
+        'uri' => '/graphql',
+
+        /*
+         * Lighthouse creates a named route for convenient URL generation and redirects.
+         */
+        'name' => 'graphql',
+
+        /*
+         * Beware that middleware defined here runs before the GraphQL execution phase,
+         * make sure to return spec-compliant responses in case an error is thrown.
+         */
+        'middleware' => [
+            // Ensures the request is not vulnerable to cross-site request forgery.
+            // Nuwave\Lighthouse\Http\Middleware\EnsureXHR::class,
+
+            // Always set the `Accept: application/json` header.
+            Nuwave\Lighthouse\Http\Middleware\AcceptJson::class,
+
+            Laravel\Sanctum\Http\Middleware\EnsureFrontendRequestsAreStateful::class,
+
+            // Logs in a user if they are authenticated. In contrast to Laravel's 'auth'
+            // middleware, this delegates auth and permission checks to the field level.
+            Nuwave\Lighthouse\Http\Middleware\AttemptAuthentication::class,
+
+            // Logs every incoming GraphQL query.
+            // Nuwave\Lighthouse\Http\Middleware\LogGraphQLQueries::class,
+        ],
+
+        /*
+         * The `prefix`, `domain` and `where` configuration options are optional.
+         */
+        // 'prefix' => '',
+        // 'domain' => '',
+        // 'where' => [],
+    ],
+];

config/sanctum.php

@@ -0,0 +1,47 @@
+<?php
+
+return [
+
+    /*
+    |--------------------------------------------------------------------------
+    | Stateful Domains
+    |--------------------------------------------------------------------------
+    |
+    | Requests from the following domains / hosts will receive stateful API
+    | authentication cookies. Typically, these should include your local
+    | and production domains which access your API via a frontend SPA.
+    |
+    */
+
+    'stateful' => explode(',', env('SANCTUM_STATEFUL_DOMAINS', 'localhost,127.0.0.1,127.0.0.1:8000,::1')),
+
+    /*
+    |--------------------------------------------------------------------------
+    | Expiration Minutes
+    |--------------------------------------------------------------------------
+    |
+    | This value controls the number of minutes until an issued token will be
+    | considered expired. If this value is null, personal access tokens do
+    | not expire. This won't tweak the lifetime of first-party sessions.
+    |
+    */
+
+    'expiration' => null,
+
+    /*
+    |--------------------------------------------------------------------------
+    | Sanctum Middleware
+    |--------------------------------------------------------------------------
+    |
+    | When authenticating your first-party SPA with Sanctum you may need to
+    | customize some of the middleware Sanctum uses while processing the
+    | request. You may change the middleware listed below as required.
+    |
+    */
+
+    'middleware' => [
+        'verify_csrf_token' => \Illuminate\Foundation\Http\Middleware\VerifyCsrfToken::class,
+        'encrypt_cookies' => \Illuminate\Cookie\Middleware\EncryptCookies::class,
+    ],
+
+];