# Nuxt API Authentication and Http Client A comprehensive Nuxt 3 module providing seamless Laravel Sanctum authentication and HTTP client functionality. This module supports both cookie-based (SPA) and token-based authentication with built-in error handling, TypeScript support, and automatic CSRF protection. This module is based on [@qirolab/nuxt-sanctum-authentication](https://github.com/qirolab/nuxt-sanctum-authentication) with significant enhancements and additional functionality. ## Features - **Dual Authentication Modes**: Cookie-based (SPA) and Token-based authentication - **Laravel Sanctum Integration**: Built specifically for Laravel Sanctum with automatic CSRF handling - **Type-Safe HTTP Client**: Full TypeScript support with generics for requests and responses - **Auto-imported Composables**: Ready-to-use authentication and HTTP methods - **Error Handling**: Comprehensive error bag system for validation and API errors - **Route Protection**: Built-in middleware for authenticated and guest-only routes - **Flexible Storage**: Token storage in cookies or localStorage - **Processing States**: Built-in loading states for all async operations - **Custom Headers**: Global and per-request custom header support - **Retry Logic**: Configurable retry attempts for failed requests - **SSR Compatible**: Full server-side rendering support --- ## Installation Install the module using npm: ```shell npm i @xsprtd/nuxt-api ``` --- ## Configuration Within your `nuxt.config.ts` add the `@xsprtd/nuxt-api` to the list of modules and the `nuxtApi` entry and overwrite the relevant options. ```javascript export default defineNuxtConfig({ modules: [ //... '@xsprtd/nuxt-api' //... ], //... nuxtApi: { apiBaseURL: process.env.API_BASE_URL, authMode: 'cookie', userStateKey: 'user', headers: {}, token: { storageKey: 'AUTH_TOKEN', storageType: 'cookie', responseKey: 'token', }, fetchOptions: { retryAttempts: false, }, csrf: { cookieName: 'XSRF-TOKEN', headerName: 'X-XSRF-TOKEN', }, endpoints: { csrf: '/sanctum/csrf-cookie', login: '/api/login', logout: '/api/logout', user: '/api/user', }, redirect: { intendedEnabled: false, login: '/login', postLogin: '/dashboard', postLogout: '/login', }, middlewareNames: { auth: false, guest: false, }, errorMessages: { default: 'Whoops - something went wrong', csrf: 'CSRF token mismatch', unauthenticated: 'Unauthenticated', }, }, //... }) ```

The list of all currently available options

```typescript interface ModuleOptions { /** * The base URL of the API server. * @example http://localhost:8000 */ apiBaseURL: string /** * The current application base URL for the Referrer and Origin header. * @example 'http://localhost:3000' */ originUrl?: string /** * The authentication mode. */ authMode: 'cookie' | 'token' /** * The key to use to store the authenticated user in the `useState` variable. */ userStateKey: string /** * Defines the key used to extract user data from the `endpoints.user` API response. * * Example usage: for response `{ user: { ... } }` it would be `user` */ userResponseKey?: null | string /** * The token specific options. */ token: { /** * The key to store the token in the storage. */ storageKey: string /** * The storage type to use for the token. */ storageType: 'cookie' | 'localStorage' /** * Defines the key used to extract user data from the `endpoints.login` API response. * * Example usage: for response `{ auth_token: { ... } }` it would be `auth_token` */ responseKey: string } /** * Fetch options. */ fetchOptions: { /** * The number of times to retry a request when it fails. */ retryAttempts: number | false } /** * CSRF token options. */ csrf: { /** * Name of the CSRF cookie to extract from server response. */ cookieName: string /** * Name of the CSRF header to pass from client to server. */ headerName: string } /** * API endpoints. */ endpoints: { /** * The endpoint to obtain a new CSRF token. */ csrf: string /** * The authentication endpoint. */ login: string /** * The logout endpoint. */ logout: string /** * The endpoint to fetch current user data. */ user: string } /** * Redirect specific settings. */ redirect: { /** * Specifies whether to retain the requested route when redirecting after login. */ intendedEnabled: boolean /** * Redirect path when access requires user authentication. * Throws a 403 error if set to false. */ login: string | false /** * Redirect path after a successful login. * No redirection if set to false. */ postLogin: string | false /** * Redirect path after a logout. * No redirection if set to false. */ postLogout: string | false } middlewareNames: { /** * Middleware name for authenticated users. * Set to a string to register the middleware with that name. * Set to `false` to disable automatic registration (default). */ auth: string | false /** * Middleware name for guest users. * Set to a string to register the middleware with that name. * Set to `false` to disable automatic registration (default). */ guest: string | false } errorMessages: { /** * A default error message. */ default: string /** * Error message to display when csrf token isn't valid. */ csrf: string /** * Error message to display when user is not-authenticated. */ unauthenticated: string } } ```

ID	Name	Price	Stock	Actions
{{ product.id }}	{{ product.name }}	${{ product.price.toFixed(2) }}	{{ product.stock }}	View Edit

--- ## Laravel Sanctum Backend Setup (Laravel 11+) Before using this module, you need to configure Laravel Sanctum on your backend. Below are complete setup instructions for Laravel 11 and newer. > **Note**: Laravel 11+ includes Sanctum by default. If you're using Laravel 10 or older, you'll need to install Sanctum manually with `composer require laravel/sanctum`. ### 1. Install & Publish Sanctum (if needed) For fresh Laravel 11+ installations, Sanctum is already installed. Just publish the configuration: ```bash php artisan vendor:publish --provider="Laravel\Sanctum\SanctumServiceProvider" php artisan migrate ``` For older Laravel versions: ```bash composer require laravel/sanctum php artisan vendor:publish --provider="Laravel\Sanctum\SanctumServiceProvider" php artisan migrate ``` ### 2. Configure CORS Update `config/cors.php`: ```php return [ 'paths' => ['api/*', 'sanctum/csrf-cookie'], 'allowed_methods' => ['*'], 'allowed_origins' => explode(',', env('FRONTEND_URL', 'http://localhost:3000')), 'allowed_origins_patterns' => [], 'allowed_headers' => ['*'], 'exposed_headers' => [], 'max_age' => 0, 'supports_credentials' => true, ]; ``` ### 3. Configure Sanctum Update `config/sanctum.php`: ```php return [ /* |-------------------------------------------------------------------------- | Stateful Domains |-------------------------------------------------------------------------- */ 'stateful' => explode(',', env('SANCTUM_STATEFUL_DOMAINS', sprintf( '%s%s%s', 'localhost,localhost:3000,localhost:8000,127.0.0.1,127.0.0.1:8000,::1', env('APP_URL') ? ','.parse_url(env('APP_URL'), PHP_URL_HOST) : '', env('FRONTEND_URL') ? ','.parse_url(env('FRONTEND_URL'), PHP_URL_HOST) : '' ))), /* |-------------------------------------------------------------------------- | Sanctum Guards |-------------------------------------------------------------------------- */ 'guard' => ['web'], /* |-------------------------------------------------------------------------- | Expiration Minutes |-------------------------------------------------------------------------- */ 'expiration' => null, /* |-------------------------------------------------------------------------- | Token Prefix |-------------------------------------------------------------------------- */ 'token_prefix' => env('SANCTUM_TOKEN_PREFIX', ''), /* |-------------------------------------------------------------------------- | Sanctum Middleware |-------------------------------------------------------------------------- */ 'middleware' => [ 'authenticate_session' => Laravel\Sanctum\Http\Middleware\AuthenticateSession::class, 'encrypt_cookies' => Illuminate\Cookie\Middleware\EncryptCookies::class, 'validate_csrf_token' => Illuminate\Foundation\Http\Middleware\ValidateCsrfToken::class, ], ]; ``` ### 4. Configure Middleware (Laravel 11+) In Laravel 11+, middleware is configured in `bootstrap/app.php` instead of `app/Http/Kernel.php`: ```php withRouting( web: __DIR__.'/../routes/web.php', api: __DIR__.'/../routes/api.php', commands: __DIR__.'/../routes/console.php', health: '/up', ) ->withMiddleware(function (Middleware $middleware) { $middleware->api(prepend: [ \Laravel\Sanctum\Http\Middleware\EnsureFrontendRequestsAreStateful::class, ]); $middleware->alias([ 'verified' => \Illuminate\Auth\Middleware\EnsureEmailIsVerified::class, ]); // For cookie-based authentication, ensure stateful API $middleware->statefulApi(); }) ->withExceptions(function (Exceptions $exceptions) { // })->create(); ``` **For Laravel 10 and older**, configure in `app/Http/Kernel.php`: ```php 'api' => [ \Laravel\Sanctum\Http\Middleware\EnsureFrontendRequestsAreStateful::class, \Illuminate\Routing\Middleware\ThrottleRequests::class.':api', \Illuminate\Routing\Middleware\SubstituteBindings::class, ], ``` ### 5. Update Environment Variables Add to `.env`: ```env # Application URLs APP_URL=http://localhost:8000 FRONTEND_URL=http://localhost:3000 # Sanctum Configuration SANCTUM_STATEFUL_DOMAINS=localhost:3000,localhost # Session Configuration SESSION_DRIVER=database SESSION_LIFETIME=120 SESSION_DOMAIN=localhost SESSION_SECURE_COOKIE=false SESSION_SAME_SITE=lax # For production, use these settings: # SESSION_DRIVER=database # SESSION_SECURE_COOKIE=true # SESSION_SAME_SITE=strict ``` **Important**: For cookie-based authentication, ensure your session driver is set to `database`, `redis`, or `memcached` (not `file`) for better reliability in API contexts. Create the sessions table if using database driver: ```bash php artisan make:session-table php artisan migrate ``` ### 6. API Routes Create authentication routes in `routes/api.php`: ```php validate([ 'email' => 'required|email', 'password' => 'required', ]); if (!Auth::attempt($credentials, $request->boolean('remember'))) { throw ValidationException::withMessages([ 'email' => ['The provided credentials are incorrect.'], ]); } $request->session()->regenerate(); return response()->json([ 'user' => Auth::user(), 'message' => 'Logged in successfully', ]); }); // Protected routes Route::middleware('auth:sanctum')->group(function () { Route::get('/user', function (Request $request) { return $request->user(); }); Route::post('/logout', function (Request $request) { Auth::guard('web')->logout(); $request->session()->invalidate(); $request->session()->regenerateToken(); return response()->json([ 'message' => 'Logged out successfully' ]); }); // Your protected routes here... Route::apiResource('products', ProductController::class); }); /* |-------------------------------------------------------------------------- | Token-Based Authentication (API Mode) |-------------------------------------------------------------------------- */ Route::post('/auth/login', function (Request $request) { $credentials = $request->validate([ 'email' => 'required|email', 'password' => 'required', ]); if (!Auth::attempt($credentials)) { return response()->json([ 'message' => 'Invalid credentials', 'errors' => [ 'email' => ['The provided credentials are incorrect.'] ] ], 422); } $user = Auth::user(); // Create token with abilities/scopes if needed $token = $user->createToken( $request->input('device_name', 'api-token'), ['*'], // Abilities now()->addDays(30) // Expiration )->plainTextToken; return response()->json([ 'token' => $token, 'user' => $user, ]); }); Route::middleware('auth:sanctum')->post('/auth/logout', function (Request $request) { // Revoke current token $request->user()->currentAccessToken()->delete(); // Or revoke all tokens: // $request->user()->tokens()->delete(); return response()->json([ 'message' => 'Logged out successfully' ]); }); ``` ### 7. User Model Configuration Ensure your `User` model uses the `HasApiTokens` trait (required for token-based auth): ```php 'datetime', 'password' => 'hashed', ]; } } ``` ### 8. Testing Your Setup Test that CSRF cookies are working: ```bash curl -X GET http://localhost:8000/sanctum/csrf-cookie \ -H "Accept: application/json" \ -H "Origin: http://localhost:3000" \ -c cookies.txt -v ``` Test login: ```bash curl -X POST http://localhost:8000/api/login \ -H "Accept: application/json" \ -H "Content-Type: application/json" \ -H "Origin: http://localhost:3000" \ -d '{"email":"user@example.com","password":"password"}' \ -b cookies.txt -c cookies.txt -v ``` --- ## Usage The module comes with two main composables `useAuth`, which takes care of the authentication and `useHttp` to handle http calls to your api gateway using the most common request methods: `get`, `post`, `put`, `patch` and `destroy` (since `delete` is a reserved keyword). ### Authentication (useAuth) To authenticate the user against laravel sanctum, use the `login` method of the `useAuth` composable - here's an example of how this can be achieved in combination with [NuxtUiPro Form](https://ui.nuxt.com/components/form). ```vue ``` To log user out you can use `logout` method of the `useAuth` composable: ```vue ``` You can also pass through a callback function to the `logout` method should you want to overwrite a default redirect behaviour: ```javascript const logMeOut = () => { logout(() => { console.log('I have logged out!') navigateTo('/') }); } ``` You can check if user is authenticated by using `isLoggedIn` and to obtain an instance of the currently authenticated user use the `user` property: ```vue ``` ### Http Client (useHttp) You can use `useHttp` composable to perform requests to the api gateway using the most common request methods, represented by the corresponding method: #### get / delete Both `get` and `destroy` (`delete` is a reserved keyword so we had to come up with something close enough) share the same interface - here's an example how you can use `get` method: ```typescript const { get, errorBag: { message } } = useHttp() const getProducts = async () => { try { const products = await get('/products') } catch (error: Error) { toast.add({ title: 'Error', description: message, color: 'error' }) } } ``` If you would like to append some query parameters to your url simply pass it as a second argument: ```typescript const products = await get('/products', { page: 2 }) ``` You can also pass any additional options as a third argument, which will be merged and passed through to the underlying `$Fetch` instance. ```typescript const products = await get( '/products', { page: 2 }, { retry: 3, retryDelay: 300 } ) ``` #### post / put / patch Again, all three share the same interface - an example below shows how you can use the `post` method to make a call: ```typescript import type { Reactive } from 'vue'; const { post, errorBag: { message } } = useHttp() interface Product { name: string, price?: number } const form: Reactive = reactive({ name: '', price: null, }) const createProduct = async () => { try { await post('/products', form) } catch (error: Error) { toast.add({ title: 'Error', description: message, color: 'error' }) } } ``` The same as with the `get` method, you can pass any additional options to the call as a third argument: ```typescript await post('/products', form, { retry: 3, retryDelay: 300 }) ``` ### Error bag To simplify parsing of the errors, both `useAuth` and `useHttp` provide access to the underlying instance of the `useErrorBag` composable by the means of the `errorBag` property. You can use this property to access the returned error `message` and, in case of the request that validates input `errors` property consisting of all validation errors. The property also provides helper methods such as: * `has`: to determine whether there is an error message available for a field * `get`: to obtain the error message for a field Here's a simple example of the above in action: ```vue ``` ### Processing status Both `useAuth` and `useHttp` also come with the `processing` property, which indicates when the request is in progress by setting its value to boolean `true` or `false` - you can use it in a following way: ```vue ``` --- ## Comprehensive Laravel Sanctum Examples This section provides exhaustive examples for integrating your Nuxt 3 application with Laravel Sanctum. ### Cookie-Based Authentication (SPA Mode) Cookie-based authentication is recommended for same-domain or subdomain setups. It's more secure and handles CSRF protection automatically. #### Configuration ```typescript // nuxt.config.ts export default defineNuxtConfig({ modules: ['@xsprtd/nuxt-api'], nuxtApi: { apiBaseURL: 'http://localhost:8000', originUrl: 'http://localhost:3000', authMode: 'cookie', // Cookie-based auth endpoints: { csrf: '/sanctum/csrf-cookie', login: '/api/login', logout: '/api/logout', user: '/api/user', }, redirect: { intendedEnabled: true, // Remember requested page login: '/login', postLogin: '/dashboard', postLogout: '/login', }, }, }) ``` #### Complete Login Page Example ```vue ``` #### Protected Dashboard with User Profile ```vue ``` #### Custom Login Callback ```typescript ``` ### Token-Based Authentication (API Mode) Token-based authentication is ideal for mobile apps, third-party integrations, or when your frontend and backend are on different domains. #### Configuration ```typescript // nuxt.config.ts export default defineNuxtConfig({ modules: ['@xsprtd/nuxt-api'], nuxtApi: { apiBaseURL: 'https://api.example.com', authMode: 'token', // Token-based auth token: { storageKey: 'AUTH_TOKEN', storageType: 'cookie', // or 'localStorage' responseKey: 'token', // Key in login response: { token: "..." } }, endpoints: { login: '/api/auth/login', logout: '/api/auth/logout', user: '/api/auth/user', }, }, }) ``` #### Laravel Backend for Token Mode ```php // routes/api.php use Illuminate\Http\Request; use Illuminate\Support\Facades\Route; use Illuminate\Support\Facades\Auth; use App\Models\User; Route::post('/auth/login', function (Request $request) { $request->validate([ 'email' => 'required|email', 'password' => 'required', ]); if (!Auth::attempt($request->only('email', 'password'))) { return response()->json([ 'message' => 'Invalid credentials', 'errors' => [ 'email' => ['The provided credentials are incorrect.'] ] ], 422); } $user = Auth::user(); $token = $user->createToken('auth-token')->plainTextToken; return response()->json([ 'token' => $token, 'user' => $user ]); }); Route::middleware('auth:sanctum')->group(function () { Route::get('/auth/user', function (Request $request) { return $request->user(); }); Route::post('/auth/logout', function (Request $request) { $request->user()->currentAccessToken()->delete(); return response()->json(['message' => 'Logged out']); }); }); ``` #### Token Login Example ```vue ``` #### Nested Token Response If your API returns token in a nested structure: ```typescript // nuxt.config.ts - for response like { data: { auth_token: "..." } } export default defineNuxtConfig({ nuxtApi: { authMode: 'token', token: { responseKey: 'data.auth_token', // Supports dot notation // ... }, }, }) ``` ### Complete CRUD Operations #### Resource List with Pagination ```vue ``` #### Create Resource ```vue

Login

Dashboard

Profile Information

Products

Create Product