Integration with Laravel Sanctum

[niktsanov]

Hey @ollieread, great package, I really appreciate the simplicity of it!

I'm playing around with it for an existing production application where we want to implement a shared database, shared schema multi-tenancy.

We are authenticating an SPA, so we are using the session-based Sanctum authentication (not token based). Every tenant has a subdomain and we want the session to be scoped to that subdomain, so we have the following configuration:

SESSION_DRIVER=redis
SESSION_DOMAIN=null
SANCTUM_STATEFUL_DOMAINS=*.thankbox.test

That said, since we are not scoping Redis per tenant (shared store for all sessions), someone could technically hijack a session from a tenant1.thankbox.test (change the domain) to tenant2.thankbox.test and be authenticated there.

We've resorted to creating a middleware EnsureValidTenantSession (inspired from spatie's multitenancy package) for dealing with this:

class EnsureValidTenantSession
{
   ...
    public function handle($request, Closure $next)
    {
        $sessionKey = 'ensure_valid_tenant_session_tenant_id';

        if (! $request->session()->has($sessionKey)) {
            $request->session()->put($sessionKey, app($this->currentTenantContainerKey())->getKey());

            return $next($request);
        }

        if ($request->session()->get($sessionKey) !== app($this->currentTenantContainerKey())->getKey()) {
            return $this->handleInvalidTenantSession($request);
        }

        return $next($request);
    }

    protected function handleInvalidTenantSession($request)
    {
        abort(Response::HTTP_UNAUTHORIZED);
    }
}

I'm wondering if you have any plans on supporting scenarios like this in the package or is it out of the scope? Maybe you have plans for other way of handling this?

[niktsanov]

Forgot to mention that the middleware is applied only if the request is stateful:

class EnsureValidTenantSessionForApi extends EnsureValidTenantSession
{
    public function handle($request, Closure $next)
    {
        if (EnsureFrontendRequestsAreStateful::fromFrontend($request)) {
            return parent::handle($request, $next);
        }

        return $next($request);
    }
}

for the token based authentication, we can add an ability to the generated token to scope it to a tenant.

[ollieread]

Hey @niktsanov, thanks, I'm glad you like it.

If you're using the session override, and the login routes are within a tenanted route group, which uses the subdomain identity resolver, the cookie created by the backend should automatically be scoped to the subdomain. So if you changed the subdomain in the URL, it wouldn't send the cookie.

[ollieread]

@niktsanov Though I suspect I may be misunderstanding the issue you're facing.

[niktsanov]

I think you've answer was spot on, I've overlooked the overrides.