Allow multiple middleware scopes in Laravel 8 routing

  laravel, laravel-middleware, laravel-routing

I’m trying to hit a route that needs to support multiple scopes for auth. It currently requires a scope called manage-clicks-creatives, but I would like to also allow manage-all-clicks-creatives. The Laravel docs seem to indicate that this is possible:

The scope middleware may be assigned to a route to verify that the incoming request’s access token has at least one of the listed scopes:

Route::get('/orders', function () {
    // Access token has either "check-status" or "place-orders" scope...
})->middleware('scope:check-status,place-orders');

From https://laravel.com/docs/5.8/passport#token-scopes

Here’s the relevant bits from api.php:

<?php
/**
 * @var LaravelLumenRoutingRouter
 */
$router->group(['prefix' => 'api', 'middleware' => 'auth:api'], function () use ($router) {
    $router->group(['namespace' => 'Creatives'], function () use ($router) {
        $router->group(['middleware' => 'scope:manage-clicks-creatives,'], function () use ($router) {
            $router->post('creatives', '[email protected]');
        });
    });
});

But when my test runs, with a user who has the manage-all-clicks-creatives scope, the request fails:

[2021-09-14 19:10:08] testing.ERROR: You do not have permission to do that. {"exception":"[object] (IlluminateValidationUnauthorizedException(code: 0): You do not have permission to do that. at /lumen-api/src/Http/Middleware/AuthorizeScope.php:23)
[stacktrace]

I’ve tried comma-delimited scopes:

$router->group(['middleware' => 'scope:manage-clicks-creatives,manage-all-clicks-creatives'], function () use ($router) {

And pipe-delimited

$router->group(['middleware' => 'scope:manage-clicks-creatives|manage-all-clicks-creatives'], function () use ($router) {

and scopes with arrays:

$router->group(['middleware' => ['scope:manage-clicks-creatives', 'scope:manage-all-clicks-creatives']], function () use ($router) {

But none of them seem to work.

Source: Laravel

Leave a Reply