From 94da4e9f6a9b6e7ef4f83deed3f15831bfa28250 Mon Sep 17 00:00:00 2001
From: kusowl <kushal.saha@outlook.com>
Date: Mon, 23 Feb 2026 18:45:56 +0530
Subject: [PATCH] feature: login via sanctum

---
 backend/.env.example                          |  1 +
 .../Contracts/OutputDataTransferObject.php    |  3 ++
 backend/app/Data/RegisterDTO.php              | 12 ++---
 backend/app/Data/UserDTO.php                  | 30 ++++++++++++
 .../AuthenticatedUserController.php           | 48 +++++++++++++++++++
 backend/config/cors.php                       |  6 +--
 backend/routes/api.php                        | 11 +++--
 backend/routes/web.php                        |  4 ++
 8 files changed, 101 insertions(+), 14 deletions(-)
 create mode 100644 backend/app/Data/UserDTO.php
 create mode 100644 backend/app/Http/Controllers/AuthenticatedUserController.php

diff --git a/backend/.env.example b/backend/.env.example
index f87941a..42976e2 100644
--- a/backend/.env.example
+++ b/backend/.env.example
@@ -63,3 +63,4 @@ AWS_BUCKET=
 AWS_USE_PATH_STYLE_ENDPOINT=false
 
 VITE_APP_NAME="${APP_NAME}"
+FRONTEND_URL=http://localhost:4200
diff --git a/backend/app/Contracts/OutputDataTransferObject.php b/backend/app/Contracts/OutputDataTransferObject.php
index af89906..4bb7c28 100644
--- a/backend/app/Contracts/OutputDataTransferObject.php
+++ b/backend/app/Contracts/OutputDataTransferObject.php
@@ -4,5 +4,8 @@
 
 interface OutputDataTransferObject
 {
+    /**
+     * @return array<string, mixed>
+     */
     public function toArray(): array;
 }
diff --git a/backend/app/Data/RegisterDTO.php b/backend/app/Data/RegisterDTO.php
index c1c4678..c2e4e5c 100644
--- a/backend/app/Data/RegisterDTO.php
+++ b/backend/app/Data/RegisterDTO.php
@@ -5,14 +5,14 @@
 use App\Contracts\InputDataTransferObject;
 use Illuminate\Foundation\Http\FormRequest;
 
-final class RegisterDTO implements InputDataTransferObject
+final readonly class RegisterDTO implements InputDataTransferObject
 {
     public function __construct(
-        public readonly string $name,
-        public readonly string $email,
-        public readonly string $mobileNumber,
-        public readonly string $password,
-        public readonly string $city,
+        public string $name,
+        public string $email,
+        public string $mobileNumber,
+        public string $password,
+        public string $city,
     ) {}
 
     public static function fromRequest(FormRequest $request): InputDataTransferObject
diff --git a/backend/app/Data/UserDTO.php b/backend/app/Data/UserDTO.php
new file mode 100644
index 0000000..4bcbeae
--- /dev/null
+++ b/backend/app/Data/UserDTO.php
@@ -0,0 +1,30 @@
+<?php
+
+namespace App\Data;
+
+use App\Contracts\OutputDataTransferObject;
+
+final readonly class UserDTO implements OutputDataTransferObject
+{
+    public function __construct(
+        public int $id,
+        public string $name,
+        public string $email,
+        public string $mobileNumber,
+        public string $city,
+    ) {}
+
+    /**
+     * @return array<string, mixed>
+     */
+    public function toArray(): array
+    {
+        return [
+            'id' => $this->id,
+            'name' => $this->name,
+            'email' => $this->email,
+            'mobileNumber' => $this->mobileNumber,
+            'city' => $this->city,
+        ];
+    }
+}
diff --git a/backend/app/Http/Controllers/AuthenticatedUserController.php b/backend/app/Http/Controllers/AuthenticatedUserController.php
new file mode 100644
index 0000000..4cfb925
--- /dev/null
+++ b/backend/app/Http/Controllers/AuthenticatedUserController.php
@@ -0,0 +1,48 @@
+<?php
+
+namespace App\Http\Controllers;
+
+use App\Data\UserDTO;
+use Illuminate\Http\Request;
+use Illuminate\Support\Facades\Auth;
+
+class AuthenticatedUserController extends Controller
+{
+    public function store(Request $request)
+    {
+        $data = $request->validate([
+            'email' => 'required|email',
+            'password' => 'required|string',
+        ]);
+        if (Auth::attempt($data)) {
+            $request->session()->regenerate();
+
+            return response()->json(['message' => 'Successfully logged in']);
+        }
+
+        return response()->json(['message' => 'Invalid credentials'], 401);
+    }
+
+    public function destroy(Request $request)
+    {
+        Auth::logout();
+        $request->session()->invalidate();
+        $request->session()->regenerateToken();
+
+        return response()->json(['message' => 'Successfully logged out']);
+    }
+
+    public function show()
+    {
+        $user = Auth::user();
+        $userDto = new UserDTO(
+            id: $user->id,
+            name: $user->name,
+            email: $user->email,
+            mobileNumber: $user->mobile_number,
+            city: $user->city
+        );
+
+        return response()->json($userDto->toArray());
+    }
+}
diff --git a/backend/config/cors.php b/backend/config/cors.php
index 8a39e6d..55f86d9 100644
--- a/backend/config/cors.php
+++ b/backend/config/cors.php
@@ -15,11 +15,11 @@
     |
     */
 
-    'paths' => ['api/*', 'sanctum/csrf-cookie'],
+    'paths' => ['api/*', 'sanctum/csrf-cookie', 'login'],
 
     'allowed_methods' => ['*'],
 
-    'allowed_origins' => ['*'],
+    'allowed_origins' => [env('FRONTEND_URL', 'http://localhost:4200')],
 
     'allowed_origins_patterns' => [],
 
@@ -29,6 +29,6 @@
 
     'max_age' => 0,
 
-    'supports_credentials' => false,
+    'supports_credentials' => true,
 
 ];
diff --git a/backend/routes/api.php b/backend/routes/api.php
index 4f4b61c..626d647 100644
--- a/backend/routes/api.php
+++ b/backend/routes/api.php
@@ -1,13 +1,14 @@
 <?php
 
+use App\Http\Controllers\AuthenticatedUserController;
 use App\Http\Controllers\RegisteredUserController;
-use Illuminate\Http\Request;
 use Illuminate\Support\Facades\Route;
 
-Route::get('/user', function (Request $request) {
-    return $request->user();
-})->middleware('auth:sanctum');
-
 Route::middleware('guest')->group(function () {
     Route::post('/register', RegisteredUserController::class);
 });
+
+Route::middleware('auth:sanctum')->group(function () {
+    Route::get('/user', [AuthenticatedUserController::class, 'show']);
+    Route::post('/logout', [AuthenticatedUserController::class, 'destroy']);
+});
diff --git a/backend/routes/web.php b/backend/routes/web.php
index 86a06c5..346b944 100644
--- a/backend/routes/web.php
+++ b/backend/routes/web.php
@@ -1,7 +1,11 @@
 <?php
 
+use App\Http\Controllers\AuthenticatedUserController;
 use Illuminate\Support\Facades\Route;
 
 Route::get('/', function () {
     return view('welcome');
 });
+
+// We are using sanctum for SPA, which requires web guard
+Route::post('/login', [AuthenticatedUserController::class, 'store']);