Remove default authenticate_session middleware
#547
Conversation
test: Fix test to include AuthenticateSession middleware during test
|
Hey @owenconti, we probably don't want to remove this from here as it could be a security issue, but instead we should maybe fix it in Nova's impersonation logic. Do you have an issue if you use Nova's "Stop Impertonating" button? Can you give us a step-by-step of how to recreate? |
|
I have a similar issue with Nova. I had to change Route::middleware([
'auth:web',
config('jetstream.auth_session'),
EnsureEmailIsVerified::class,
])->group(
// ..I didn't fully understand the problem at the time, but I’m sharing this in case it helps fixing the issue. |
|
@taylorotwell definitely understand not wanting to remove the default value for security reasons, no problem there. I think this isn't on Nova, though. Any other package (or custom code) that does impersonation in combination with using Sanctum (and more specifically Sanctum's Maybe a docs update to the Sanctum Middleware that explains that the |
This PR removes the default
authenticate_sessionmiddleware that is set by Sanctum.We ran into a hard to debug issue in our application where the user would be logged out immediately after impersonating some users via Nova. As it turns out the "some" ended up being based on if the users shared the same password or not. So locally, everything worked fine as all seeded users get the same password. But in production, this is not the case.
I think another potential update here would be to keep the default config as-is, but update the Sanctum docs to make it clear what the
AuthenticateSessionmiddleware does, and that it is enabled by default. However, it seems like all other areas of the Laravel ecosystem make the "log out other devices" feature opt-in, instead of opt-out.