Laravel 10 Passport API Permission Using Scope

Assume you have installed passport oauth api authentication in your Laravel application and now you want to handle permissions before accessing an API. In this case, you can use passport scope. Laravel Passport Scopes allow your API clients to request a specific set of permissions when requesting authorization to access an account. 

In this tutorial, I will show you how to define a passport scope and how to work with this passport scope to handle API permissions in Laravel passport. Let's see the example of how to handle permissions in laravel passport:

Defining Passport Scopes

Using the Passport::tokensCan method in the boot method of your application's App\Providers\AuthServiceProvider class, we can define passport scope like that:

App\Providers\AuthServiceProvider.php

<?php

namespace App\Providers;

use Laravel\Passport\Passport;
use Illuminate\Support\Facades\Gate;
use Illuminate\Foundation\Support\Providers\AuthServiceProvider as ServiceProvider;

class AuthServiceProvider extends ServiceProvider
{
    public function boot()
    {
        Passport::tokensCan([
            'edit' => 'can edit',
            'create' => 'can add',
            'delete' => 'can delete',
        ]);
    }
}

 

If a client does not request any specific scopes, we may configure our Passport server to attach a default scope like that:

<?php

namespace App\Providers;

use Laravel\Passport\Passport;
use Illuminate\Support\Facades\Gate;
use Illuminate\Foundation\Support\Providers\AuthServiceProvider as ServiceProvider;

class AuthServiceProvider extends ServiceProvider
{
    public function boot()
    {
        Passport::setDefaultScope([
          'check-status',
          'place-orders',
        ]);
    }
}

 

Remember that Laravel Passport's default scopes do not apply to personal access tokens that are generated by the user. Now before using this scope, we have to register to middleware from passport like that:

app/Http/Kernel.php

<?php

protected $routeMiddleware = [
   .
   .
   'scopes' => \Laravel\Passport\Http\Middleware\CheckScopes::class,
   'scope' => \Laravel\Passport\Http\Middleware\CheckForAnyScope::class,
];

 

Now time to add this middleware in our rest api routes. So open routes and paste this below code and update your api.php file.

routes/api.php

<?php

use Illuminate\Support\Facades\Route;
use App\Http\Controllers\ProductController;

Route::get('products', [ProductController::class,'index']);
Route::get('products/{products}', [ProductController::class,'show']);
Route::post('product', [ProductController::class,'store'])->middleware(['auth:api', 'scope:create']);
Route::put('product/{product}', [ProductController::class,'update'])->middleware(['auth:api', 'scope:edit']);
Route::delete('product/{product}', [ProductController::class,'destroy'])->middleware(['auth:api', 'scope:delete']);

 

We can also use this scope in our middleware constructor method like that:

<?php

namespace App\Http\Controllers;

use Illuminate\Http\Request;

class ProductController extends Controller
{

    public function __construct()
    {
        $this->middleware(
            [
                'auth:api', 
                'scopes:edit,create,delete'
            ])->except(['index', 'show']);
    }
}

 

We can also check individual cope like below:

<?php

if ($request->user()->tokenCan('create-post')) {
  //user has authorized to perform this operation
}

 

Read also: How To Set Token Expiration Time In Laravel Passport?

 

Conclusion

Now we know laravel api permissions. Hope this laravel passport roles permissions example tutorial will help you to handle laravel passport scopes in your laravel application.