Added custom auth token header support (#354)

* Addded custom auth token header support

* formatting

* formatting

Co-authored-by: Taylor Otwell <taylor@laravel.com>

Author: CodesignDev

src/Guard.php

@@ -61,7 +61,7 @@ public function __invoke(Request $request)
             }
         }
 
-        if ($token = $request->bearerToken()) {
+        if ($token = $this->getTokenFromRequest($request)) {
             $model = Sanctum::$personalAccessTokenModel;
 
             $accessToken = $model::findToken($token);
@@ -105,6 +105,21 @@ protected function supportsTokens($tokenable = null)
         ));
     }
 
+    /**
+     * Get the token from the request.
+     *
+     * @param  \Illuminate\Http\Request  $request
+     * @return string|null
+     */
+    protected function getTokenFromRequest(Request $request)
+    {
+        if (is_callable(Sanctum::$accessTokenRetrievalCallback)) {
+            return (string) (Sanctum::$accessTokenRetrievalCallback)($request);
+        }
+
+        return $request->bearerToken();
+    }
+
     /**
      * Determine if the provided access token is valid.
      *

src/Sanctum.php

@@ -13,6 +13,13 @@ class Sanctum
      */
     public static $personalAccessTokenModel = 'Laravel\\Sanctum\\PersonalAccessToken';
 
+    /**
+     * A callback that can get the token from the request.
+     *
+     * @var callable|null
+     */
+    public static $accessTokenRetrievalCallback;
+
     /**
      * A callback that can add to the validation of the access token.
      *
@@ -83,6 +90,17 @@ public static function usePersonalAccessTokenModel($model)
         static::$personalAccessTokenModel = $model;
     }
 
+    /**
+     * Specify a callback that should be used to fetch the access token from the request.
+     *
+     * @param  callable  $callback
+     * @return void
+     */
+    public static function getAccessTokenFromRequestUsing(callable $callback)
+    {
+        static::$accessTokenRetrievalCallback = $callback;
+    }
+
     /**
      * Specify a callback that should be used to authenticate access tokens.
      *

tests/GuardTest.php

@@ -280,6 +280,139 @@ public function test_authentication_fails_if_callback_returns_false()
 
         $user = $requestGuard->setRequest($request)->user();
         $this->assertNull($user);
+
+        Sanctum::$accessTokenAuthenticationCallback = null;
+    }
+
+    public function test_authentication_is_successful_with_token_in_custom_header()
+    {
+        $this->loadLaravelMigrations(['--database' => 'testbench']);
+        $this->artisan('migrate', ['--database' => 'testbench'])->run();
+
+        $factory = Mockery::mock(AuthFactory::class);
+
+        $guard = new Guard($factory, null);
+
+        $webGuard = Mockery::mock(stdClass::class);
+
+        $factory->shouldReceive('guard')
+                ->with('web')
+                ->andReturn($webGuard);
+
+        $webGuard->shouldReceive('user')->once()->andReturn(null);
+
+        $request = Request::create('/', 'GET');
+        $request->headers->set('X-Auth-Token', 'test');
+
+        $user = User::forceCreate([
+            'name' => 'Taylor Otwell',
+            'email' => 'taylor@laravel.com',
+            'password' => '$2y$10$92IXUNpkjO0rOQ5byMi.Ye4oKoEa3Ro9llC/.og/at2.uheWG/igi',
+            'remember_token' => Str::random(10),
+        ]);
+
+        $token = PersonalAccessToken::forceCreate([
+            'tokenable_id' => $user->id,
+            'tokenable_type' => get_class($user),
+            'name' => 'Test',
+            'token' => hash('sha256', 'test'),
+        ]);
+
+        Sanctum::getAccessTokenFromRequestUsing(function (Request $request) {
+            return $request->header('X-Auth-Token');
+        });
+
+        $returnedUser = $guard->__invoke($request);
+
+        $this->assertEquals($user->id, $returnedUser->id);
+        $this->assertEquals($token->id, $returnedUser->currentAccessToken()->id);
+        $this->assertInstanceOf(DateTimeInterface::class, $returnedUser->currentAccessToken()->last_used_at);
+
+        Sanctum::$accessTokenRetrievalCallback = null;
+    }
+
+    public function test_authentication_fails_with_token_in_authorization_header_when_using_custom_header()
+    {
+        $this->loadLaravelMigrations(['--database' => 'testbench']);
+        $this->artisan('migrate', ['--database' => 'testbench'])->run();
+
+        $factory = Mockery::mock(AuthFactory::class);
+
+        $guard = new Guard($factory, null);
+
+        $webGuard = Mockery::mock(stdClass::class);
+
+        $factory->shouldReceive('guard')
+                ->with('web')
+                ->andReturn($webGuard);
+
+        $webGuard->shouldReceive('user')->once()->andReturn(null);
+
+        $request = Request::create('/', 'GET');
+        $request->headers->set('Authorization', 'Bearer test');
+
+        $user = User::forceCreate([
+            'name' => 'Taylor Otwell',
+            'email' => 'taylor@laravel.com',
+            'password' => '$2y$10$92IXUNpkjO0rOQ5byMi.Ye4oKoEa3Ro9llC/.og/at2.uheWG/igi',
+            'remember_token' => Str::random(10),
+        ]);
+
+        $token = PersonalAccessToken::forceCreate([
+            'tokenable_id' => $user->id,
+            'tokenable_type' => get_class($user),
+            'name' => 'Test',
+            'token' => hash('sha256', 'test'),
+        ]);
+
+        Sanctum::getAccessTokenFromRequestUsing(function (Request $request) {
+            return $request->header('X-Auth-Token');
+        });
+
+        $returnedUser = $guard->__invoke($request);
+
+        $this->assertNull($returnedUser);
+
+        Sanctum::$accessTokenRetrievalCallback = null;
+    }
+
+    public function test_authentication_fails_with_token_in_custom_header_when_using_default_authorization_header()
+    {
+        $this->loadLaravelMigrations(['--database' => 'testbench']);
+        $this->artisan('migrate', ['--database' => 'testbench'])->run();
+
+        $factory = Mockery::mock(AuthFactory::class);
+
+        $guard = new Guard($factory, null);
+
+        $webGuard = Mockery::mock(stdClass::class);
+
+        $factory->shouldReceive('guard')
+                ->with('web')
+                ->andReturn($webGuard);
+
+        $webGuard->shouldReceive('user')->once()->andReturn(null);
+
+        $request = Request::create('/', 'GET');
+        $request->headers->set('X-Auth-Token', 'test');
+
+        $user = User::forceCreate([
+            'name' => 'Taylor Otwell',
+            'email' => 'taylor@laravel.com',
+            'password' => '$2y$10$92IXUNpkjO0rOQ5byMi.Ye4oKoEa3Ro9llC/.og/at2.uheWG/igi',
+            'remember_token' => Str::random(10),
+        ]);
+
+        $token = PersonalAccessToken::forceCreate([
+            'tokenable_id' => $user->id,
+            'tokenable_type' => get_class($user),
+            'name' => 'Test',
+            'token' => hash('sha256', 'test'),
+        ]);
+
+        $returnedUser = $guard->__invoke($request);
+
+        $this->assertNull($returnedUser);
     }
 
     protected function getPackageProviders($app)