How to create authentication in Laravel for REST API

Question

I am creating REST API using Laravel framework. Everything is great ! But I have one problem with custom Authentication and Authorization.
By default Laravel has some basic authentication in kernel, it is great security layer for desktop/browser apps, but in case of REST API which is used primarily on mobile devices it is redundant.
So I have commented these lines in Kernel.php

  /*    \Illuminate\Foundation\Http\Middleware\CheckForMaintenanceMode::class,
        \App\Http\Middleware\EncryptCookies::class,
        \Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse::class,
        \Illuminate\Session\Middleware\StartSession::class,
        \Illuminate\View\Middleware\ShareErrorsFromSession::class,
        \App\Http\Middleware\VerifyCsrfToken::class,*/

Instead I have created my own middleware class and bind it to route

 protected $routeMiddleware = [
        'auth' => \App\Http\Middleware\Authenticate::class,
        'auth.basic' => \Illuminate\Auth\Middleware\AuthenticateWithBasicAuth::class,
        'guest' => \App\Http\Middleware\RedirectIfAuthenticated::class,
        'auth.token' => \App\Http\Middleware\TokenAuthMiddleware::class,
        'auth.simple' => \App\Http\Middleware\AuthBasicMiddleware::class,
    ];

I have decided used common approach - token (without OAuth server). Token is issued in response to user credentials one time and than just refreshes when it is required.
My middleware class is just skeleton

<?php

namespace App\Http\Middleware;

use Closure;

class TokenAuthMiddleware
{
    /**
     * Handle an incoming request.
     *
     * @param  \Illuminate\Http\Request  $request
     * @param  \Closure  $next
     * @return mixed
     */
    public function handle($request, Closure $next)
    {
        dd($request->header());
        return $next($request);
    }
}

I am planing to consume token from Authorization header, in request and check it if it is valid and not expired allow user to access protected content.
I want to do this in my middleware class.But I have a problem, I am not receiving headers from from request. To test API I use Chrome Extension (Advance Rest Client) or Curl, but neither of them work, I mean client works good but the problem is in laravel, I think.

The problem is that I have manually specefied headers in my request but none of them are appeared in laravel dd - dd($request->header()); .

I have tried different headers, they worked, not all,but some of them except Authorization header.

Here is an example

Request headers 
CSP: active
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.132 Safari/537.36
From: asdasdsadsa
Authorization: token=20sadsa
Accept: */*
Accept-Encoding: gzip, deflate, sdch
Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.6,en;q=0.4,uk;q=0.2
Cookie: PHPSESSID=sdotvgu9bvm63b947h5d98nk72; language=ru; currency=UAH

And what I get from dd

array:9 [
  "host" => array:1 [
    0 => "myhost ip"
  ]
  "connection" => array:1 [
    0 => "keep-alive"
  ]
  "csp" => array:1 [
    0 => "active"
  ]
  "user-agent" => array:1 [
    0 => "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.132 Safari/537.36"
  ]
  "from" => array:1 [
    0 => "asdasdsadsa"
  ]
  "accept" => array:1 [
    0 => "*/*"
  ]
  "accept-encoding" => array:1 [
    0 => "gzip, deflate, sdch"
  ]
  "accept-language" => array:1 [
    0 => "ru-RU,ru;q=0.8,en-US;q=0.6,en;q=0.4,uk;q=0.2"
  ]
  "cookie" => array:1 [
    0 => "PHPSESSID=myphpsession; language=ru; currency=UAH"
  ]
]

As you can see From header works, but Authorization header are not present in dump.
For me it seems that laravel is consuming and removing Authorization header before my middleware, even in case I have commented default middlewares for any request.

Please help to solve this problem. Or maybe there is another better approach to authenticate in REST API ? I would be grateful for any suggestion, criticism.
Thanks.

Answer 1

I was looking for the same answer and I found this link very useful with detailed information and usage for L5 with the use of JWT LINK .

and second solution is: JSON WEB TOKEN

hop it helps you to.

Answer 2

The problem was not in Laravel, but in Apache Web Server configuration file.
Adding this line to the .htaccess file into public directory.

RewriteRule ^ - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]

solved the problem.

P.S.

If there other better ways to handle REST API Authorization + Laravel, please leave comment.