After delving into the laravel source code, I found that token protection is now useless. All auth is passed through the auth middleware, from there you can see what it is called Auth::guard($name)->guest()to check if the user is logged in. \Auth::guardwill receive the correct protection indicated by you on the route. Say there is TokenGuard here. In \ Illuminate \ Auth \ TokenGuard check the function userto find out how TokenGuardto get the user. First, it will receive an input parameter with a name api_token. Then it will allow the provider, which can be eloquent, as the default setting for finding the value in the database. If any value is found, a new user instance is created. If there is no input value namedapi_token, some other options will be checked:
- bearerToken, HTTP, : .
- HTTP-: PHP_AUTH_PW.
, storageKey.
, API, , .