# Authentication
You can use standard Laravel mechanisms (opens new window) to authenticate users of your GraphQL API.
# AttemptAuthentication middleware
As all GraphQL requests are served at a single HTTP endpoint, middleware added
through the lighthouse.php
config will run for all queries against your server.
In most cases, your schema will have some publicly accessible fields and others that require authentication. As multiple checks for authentication or permissions may be required in a single request, it is convenient to attempt authentication once per request.
'route' => [
'middleware' => [
\Nuwave\Lighthouse\Support\Http\Middleware\AttemptAuthentication::class,
],
],
Note that the AttemptAuthentication
middleware does not protect your fields from unauthenticated
access, decorate them with @guard as needed.
If you want to guard all your fields against unauthenticated access, you can simply add Laravel's build-in auth middleware. Beware that this approach does not allow any GraphQL operations for guest users, so you will have to handle login outside of GraphQL.
'middleware' => [
'auth:api',
],
# Configure the guard
You can configure a default guard to use for authenticating GraphQL requests in lighthouse.php
.
'guard' => 'api',
This setting is used whenever Lighthouse looks for an authenticated user, for example in directives
such as @guard, or when applying the AttemptAuthentication
middleware.
Stateless guards are recommended for most use cases, such as the default api
guard.
# Laravel Sanctum
If you are using Laravel Sanctum (opens new window) for your API, set the guard
to sanctum
and register Sanctum's EnsureFrontendRequestsAreStateful
as first middleware for Lighthouse's route.
'route' => [
// ...
'middleware' => [
\Laravel\Sanctum\Http\Middleware\EnsureFrontendRequestsAreStateful::class,
// ... other middleware
],
],
'guard' => 'sanctum',
Note that Sanctum requires you to send an CSRF token as header (opens new window) with all GraphQL requests, regardless of whether the user is authenticated or not.
When using laravel-graphql-playground (opens new window), follow the instructions to add a CSRF token (opens new window).
# Guard selected fields
If you want to guard only selected fields, you can use the @guard directive to require authentication for accessing them.
type Query {
profile: User! @guard
}
If you need to guard multiple fields, just use @guard
on a type
or an extend type
definition. It will be applied to all fields within that type.
extend type Query @guard
adminInfo: Secrets
nukeCodes: [NukeCode!]!
}
# Get the current user
Lighthouse provides a really simple way to fetch the information of the currently authenticated user.
Just add a field that returns your User
type and decorate it with the @auth directive.
type Query {
me: User @auth
}
Sending the following query will return the authenticated user's info
or null
if the request is not authenticated.
{
me {
name
email
}
}
# Stateful Authentication Example
You can create or destroy a session with mutations instead of separate API endpoints (/login
, /logout
).
This only works when Lighthouse's guard uses a session driver.
Laravel's token based authentication does not allow logging in or out on the server side.
The implementation in the docs is only an example and may have to be adapted to your specific use case.
Add the following middleware to config/lighthouse.php
:
'route' => [
// ...
'middleware' => [
// Either those for plain Laravel:
\Illuminate\Cookie\Middleware\EncryptCookies::class,
\Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse::class,
\Illuminate\Session\Middleware\StartSession::class,
// Or this one when using Laravel Sanctum:
\Laravel\Sanctum\Http\Middleware\EnsureFrontendRequestsAreStateful::class,
// ... other middleware
],
],
The login
and logout
might be defined and implement like this:
type Mutation {
"Log in to a new session and get the user."
login(email: String!, password: String!): User!
"Log out from the current session, showing the user one last time."
logout: User @guard
}
class Login
{
/**
* @param null $_
* @param array<string, mixed> $args
*/
public function __invoke($_, array $args): User
{
// Plain Laravel: Auth::guard()
// Laravel Sanctum: Auth::guard(config('sanctum.guard', 'web'))
$guard = ?;
if( ! $guard->attempt($args)) {
throw new Error('Invalid credentials.');
}
/**
* Since we successfully logged in, this can no longer be `null`.
*
* @var \App\Models\User $user
*/
$user = $guard->user();
return $user;
}
}
class Logout
{
/**
* @param null $_
* @param array<string, mixed> $args
*/
public function __invoke($_, array $args): ?User
{
// Plain Laravel: Auth::guard()
// Laravel Sanctum: Auth::guard(config('sanctum.guard', 'web'))
$guard = ?;
/** @var \App\Models\User|null $user */
$user = $guard->user();
$guard->logout();
return $user;
}
}