Allow using login for API routes without session

It is useful to use the same `AuthenticatesUsers` trait for login via API as for login in the browser, because the trait provides things like throttling and validation. The problem is similar to the discussion in laravel#208 - API routes may not have a session. This PR adds `if ($request->hasSession()) {` the same as the comments in laravel#208 suggest. This also replaces laravel#90 properly.
kohenkatz · Aug 25, 2022 · 31ca344 · 31ca344
1 parent 2dff275
commit 31ca344
Showing 1 changed file with 7 additions and 3 deletions.
diff --git a/auth-backend/AuthenticatesUsers.php b/auth-backend/AuthenticatesUsers.php
@@ -107,7 +107,9 @@ protected function credentials(Request $request)
      */
     protected function sendLoginResponse(Request $request)
     {
-        $request->session()->regenerate();
+        if ($request->hasSession()) {
+            $request->session()->regenerate();
+        }
 
         $this->clearLoginAttempts($request);
 
@@ -167,9 +169,11 @@ public function logout(Request $request)
     {
         $this->guard()->logout();
 
-        $request->session()->invalidate();
+        if ($request->hasSession()) {
+            $request->session()->invalidate();
 
-        $request->session()->regenerateToken();
+            $request->session()->regenerateToken();
+        }
 
         if ($response = $this->loggedOut($request)) {
             return $response;