I'm using Laravel 8 / VueJs / Sanctum. And I found a small issue I'm not sure if its a security issue or not but I'm thinking its an exploit in Sanctum

I'm calling my Vue components in my blade files

And I can send and receive the response to all routes that I have in api.php without sending the token.

Also : All my routes are in sanctum middleware as you can see

all my routes are working fine but the one /user it redirect me to home

is that possible to receive a response without sending a token, after I logged in ? if Yes why I can receive a response from all my routes but /user it redirect me to /home

Route::middleware(['auth:sanctum'])->group(function () {

Route::get('/user', function(Request $request){
    return $request->user();
});
// Chat routes
Route::prefix('/chat')->group(function(){
    Route::post('/messages', [App\Http\Controllers\Api\ApiChatController::class, 'store'])->name('api/send-message');

    Route::get('/messages', [App\Http\Controllers\Api\ApiChatController::class, 'show'])->name('api/recent-chat');
    Route::get('/messages/{user}', [App\Http\Controllers\Api\ApiChatController::class, 'show'])->name('api/open-chat');
    Route::get('/threads', [App\Http\Controllers\Api\ApiChatController::class, 'index'])->name('api/all-chat-threads');
});
// dating routes
Route::prefix('/dating')->group(function(){
    Route::get('/search', [App\Http\Controllers\DatingController::class, 'search'])->name('api/search');
  });
  });

CodePudding user response：

Sanctum using token and cookie too for user auth. If you are calling over the browser a page which is guarded by sanctum then laravel use cookie auth. if you make a api calling by javascript then laravel needs the token.

So i think everything is right.