nuwave · spawnia · Jul 6, 2020 · Jul 16, 2020 · Jul 16, 2020 · Jul 16, 2020
diff --git a/app/GraphQL/Mutations/Login.php b/app/GraphQL/Mutations/Login.php
@@ -0,0 +1,32 @@
+<?php
+
+namespace App\GraphQL\Mutations;
+
+use App\Models\User;
+use GraphQL\Error\Error;
+use Illuminate\Support\Facades\Auth;
+
+class Login
+{
+    /**
+     * @param  null  $_
+     * @param  array<string, mixed>  $args
+     */
+    public function __invoke($_, array $args): User
+    {
+        $guard = Auth::guard(config('sanctum.guard', 'web'));
+
+        if( ! $guard->attempt($args)) {
+            throw new Error('Invalid credentials.');
+        }
+
+        /**
+         * Since we successfully logged in, this can no longer be `null`.
+         *
+         * @var \App\Models\User $user
+         */
+        $user = $guard->user();
+
+        return $user;
+    }
+}
diff --git a/app/GraphQL/Mutations/Logout.php b/app/GraphQL/Mutations/Logout.php
@@ -0,0 +1,24 @@
+<?php
+
+namespace App\GraphQL\Mutations;
+
+use App\Models\User;
+use Illuminate\Support\Facades\Auth;
+
+class Logout
+{
+    /**
+     * @param  null  $_
+     * @param  array<string, mixed>  $args
+     */
+    public function __invoke($_, array $args): ?User
+    {
+        $guard = Auth::guard(config('sanctum.guard', 'web'));
+
+        /** @var \App\Models\User|null $user */
+        $user = $guard->user();
+        $guard->logout();
+
+        return $user;
+    }
+}
diff --git a/app/Http/Kernel.php b/app/Http/Kernel.php
@@ -25,6 +25,12 @@ class Kernel extends HttpKernel
      * @var array<string, array<string|class-string>>
      */
     protected $middlewareGroups = [
+        'web' => [
+            \Illuminate\Cookie\Middleware\EncryptCookies::class,
+            \Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse::class,
+            \Illuminate\Session\Middleware\StartSession::class,
+            \Illuminate\Foundation\Http\Middleware\VerifyCsrfToken::class,
+        ],
         'api' => [
             'throttle:60,1',
             \Illuminate\Routing\Middleware\SubstituteBindings::class,

diff --git a/composer.json b/composer.json
@@ -15,6 +15,7 @@
         "fruitcake/laravel-cors": "^1.0",
         "guzzlehttp/guzzle": "^6.3",
         "laravel/framework": "^7.0",
+        "laravel/sanctum": "^2.4",
         "mll-lab/laravel-graphql-playground": "^2.1",
         "nuwave/lighthouse": "^4.15.0"
     },

diff --git a/composer.lock b/composer.lock
diff --git a/config/app.php b/config/app.php
@@ -157,6 +157,7 @@
         Illuminate\Queue\QueueServiceProvider::class,
         Illuminate\Redis\RedisServiceProvider::class,
         Illuminate\Auth\Passwords\PasswordResetServiceProvider::class,
+        Illuminate\Session\SessionServiceProvider::class,
         Illuminate\Translation\TranslationServiceProvider::class,
         Illuminate\Validation\ValidationServiceProvider::class,
         Illuminate\View\ViewServiceProvider::class,
@@ -217,6 +218,7 @@
         'Response' => Illuminate\Support\Facades\Response::class,
         'Route' => Illuminate\Support\Facades\Route::class,
         'Schema' => Illuminate\Support\Facades\Schema::class,
+        'Session' => Illuminate\Support\Facades\Session::class,
         'Storage' => Illuminate\Support\Facades\Storage::class,
         'Str' => Illuminate\Support\Str::class,
         'URL' => Illuminate\Support\Facades\URL::class,

diff --git a/config/auth.php b/config/auth.php
@@ -36,6 +36,11 @@
     */
 
     'guards' => [
+        'web' => [
+            'driver' => 'session',
+            'provider' => 'users',
+        ],
+
         'api' => [
             'driver' => 'token',
             'provider' => 'users',

diff --git a/config/graphql-playground.php b/config/graphql-playground.php
@@ -0,0 +1,49 @@
+<?php
+
+declare(strict_types=1);
+
+return [
+    /*
+    |--------------------------------------------------------------------------
+    | Route configuration
+    |--------------------------------------------------------------------------
+    |
+    | Set the URI at which the GraphQL Playground can be viewed
+    | and any additional configuration for the route.
+    |
+    */
+
+    'route' => [
+        'uri' => '/graphql-playground',
+        'name' => 'graphql-playground',
+        'middleware' => ['web']
+        // 'prefix' => '',
+        // 'domain' => 'graphql.' . env('APP_DOMAIN', 'localhost'),
+    ],
+
+    /*
+    |--------------------------------------------------------------------------
+    | Default GraphQL endpoint
+    |--------------------------------------------------------------------------
+    |
+    | The default endpoint that the Playground UI is set to.
+    | It assumes you are running GraphQL on the same domain
+    | as GraphQL Playground, but can be set to any URL.
+    |
+    */
+
+    'endpoint' => '/graphql',
+
+    /*
+    |--------------------------------------------------------------------------
+    | Control Playground availability
+    |--------------------------------------------------------------------------
+    |
+    | Control if the playground is accessible at all.
+    | This allows you to disable it in certain environments,
+    | for example you might not want it active in production.
+    |
+    */
+
+    'enabled' => env('GRAPHQL_PLAYGROUND_ENABLED', true),
+];
diff --git a/config/lighthouse.php b/config/lighthouse.php
@@ -31,6 +31,8 @@
         'middleware' => [
             \Nuwave\Lighthouse\Support\Http\Middleware\AcceptJson::class,
 
+            \Laravel\Sanctum\Http\Middleware\EnsureFrontendRequestsAreStateful::class,
+
             // Logs in a user if they are authenticated. In contrast to Laravel's 'auth'
             // middleware, this delegates auth and permission checks to the field level.
             \Nuwave\Lighthouse\Support\Http\Middleware\AttemptAuthentication::class,
@@ -54,7 +56,7 @@
     |
     */
 
-    'guard' => 'api',
+    'guard' => 'sanctum',
 
     /*
     |--------------------------------------------------------------------------

diff --git a/config/sanctum.php b/config/sanctum.php
@@ -0,0 +1,47 @@
+<?php
+
+return [
+
+    /*
+    |--------------------------------------------------------------------------
+    | Stateful Domains
+    |--------------------------------------------------------------------------
+    |
+    | Requests from the following domains / hosts will receive stateful API
+    | authentication cookies. Typically, these should include your local
+    | and production domains which access your API via a frontend SPA.
+    |
+    */
+
+    'stateful' => explode(',', env('SANCTUM_STATEFUL_DOMAINS', 'localhost,127.0.0.1,127.0.0.1:8000,::1')),
+
+    /*
+    |--------------------------------------------------------------------------
+    | Expiration Minutes
+    |--------------------------------------------------------------------------
+    |
+    | This value controls the number of minutes until an issued token will be
+    | considered expired. If this value is null, personal access tokens do
+    | not expire. This won't tweak the lifetime of first-party sessions.
+    |
+    */
+
+    'expiration' => null,
+
+    /*
+    |--------------------------------------------------------------------------
+    | Sanctum Middleware
+    |--------------------------------------------------------------------------
+    |
+    | When authenticating your first-party SPA with Sanctum you may need to
+    | customize some of the middleware Sanctum uses while processing the
+    | request. You may change the middleware listed below as required.
+    |
+    */
+
+    'middleware' => [
+        'verify_csrf_token' => \Illuminate\Foundation\Http\Middleware\VerifyCsrfToken::class,
+        'encrypt_cookies' => \Illuminate\Cookie\Middleware\EncryptCookies::class,
+    ],
+
+];