0
0
Laravelframework~20 mins

API authentication with Sanctum in Laravel - Practice Problems & Coding Challenges

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallPerf
Challenge - 5 Problems
🎖️
Sanctum Mastery
Get all challenges correct to earn this badge!
Test your skills under time pressure!
component_behavior
intermediate
2:00remaining
What is the output of this Sanctum token creation code?
Consider this Laravel controller method using Sanctum to create a token for a user. What will be the output JSON response?
Laravel
public function login(Request $request) {
    $user = User::where('email', $request->email)->first();
    if (! $user || ! Hash::check($request->password, $user->password)) {
        return response()->json(['message' => 'Invalid credentials'], 401);
    }
    $token = $user->createToken('api-token')->plainTextToken;
    return response()->json(['token' => $token]);
}
A500 Internal Server Error
B{"token": null}
C{"message": "Invalid credentials"}
D{"token": "<a long string token>"}
Attempts:
2 left
💡 Hint
The createToken method returns a token object with a plainTextToken property.
lifecycle
intermediate
1:30remaining
Which middleware is required to protect Sanctum API routes?
You want to protect your API routes so only authenticated users with valid Sanctum tokens can access them. Which middleware should you apply to these routes?
Aauth:sanctum
Bauth:api
Cguest
Dweb
Attempts:
2 left
💡 Hint
Sanctum uses a specific guard for API token authentication.
🔧 Debug
advanced
2:30remaining
Why does this Sanctum token authentication fail with 401 Unauthorized?
This API route uses 'auth:sanctum' middleware but always returns 401 Unauthorized even with a valid token sent in the Authorization header. What is the most likely cause?
Laravel
Route::middleware('auth:sanctum')->get('/user', function (Request $request) {
    return $request->user();
});

// Client sends header: Authorization: Bearer <valid_token>
AThe Authorization header is misspelled or missing the 'Bearer' prefix.
BThe token was created with 'createToken' but not saved to the database.
CThe user model does not use the 'HasApiTokens' trait.
DThe 'EnsureFrontendRequestsAreStateful' middleware is missing from the middleware group.
Attempts:
2 left
💡 Hint
Check if the user model supports Sanctum tokens.
📝 Syntax
advanced
1:30remaining
Which code snippet correctly revokes all Sanctum tokens for the authenticated user?
You want to log out a user by deleting all their API tokens. Which code snippet correctly does this?
A$request->user()->tokens()->delete();
B$request->user()->token()->delete();
CAuth::user()->revokeTokens();
D$request->user()->deleteTokens();
Attempts:
2 left
💡 Hint
The tokens() method returns a relationship to all tokens.
🧠 Conceptual
expert
3:00remaining
What is the main difference between Sanctum's SPA authentication and API token authentication?
Sanctum supports two main authentication methods: SPA authentication using cookies and API token authentication using tokens. What is the key difference in how they authenticate users?
ASPA authentication requires OAuth2, while API token authentication uses simple API keys.
BSPA authentication uses session cookies and CSRF protection, while API token authentication uses bearer tokens in headers without sessions.
CSPA authentication only works with mobile apps, API token authentication only with web browsers.
DSPA authentication stores tokens in localStorage, API token authentication stores tokens in cookies.
Attempts:
2 left
💡 Hint
Think about how browsers handle cookies and headers differently.