Sanctum default has all abilities

[ChrisSantiago82]

I got to play around with Sanctum on a new project, and I love it. But I have run into the following issue.

First, the idea was to use Sanctum for a mobile app. I was generating the tokens on the user model, without any special abilities, because in our project the mobile user can access all of their apis:

$token = $request->user()->createToken($request->token_name);

Then we run into the situation that other apis from our app can be consumed by other programs. Our thoughts where to use Sanctum again. But this time it wouldn't be based on the user model. And we wanted to use the abilities to define what exactly they can do.

First issue is, if you don't define the abilities, they get the ['*'] ability, that means the mobile tokens can now also do everything on the other apis. So we ended up to create mobile ability and add them to all the old tokens.

I know those are all my errors and I'm sure it won't happen to me again, but isn't it a bit risky that if you don't define the abilities that they get all the abilities? I wonder if the default shouldn't be the other way around.

What are your thoughts?

[macropay-solutions]

Aren't gates the tool for permissions? https://laravel.com/docs/12.x/authorization#gates

Or policies https://laravel.com/docs/12.x/authorization#creating-policies

[macropay-solutions]

ok.

I wonder if the default shouldn't be the other way around.

If the default would be block everything then unless you give it some or all abilities it would do nothing. It makes sense to have all by default.

[ChrisSantiago82]

If you don't check for the ability and just check if the token is valid, then it would work perfectly.
The issue starts when you want to add abilities later and then everybody already has access to everything.

[macropay-solutions]

If you don't check for the ability and just check if the token is valid, then it would work perfectly.
The issue starts when you want to add abilities later and then everybody already has access to everything.

You just answered to your own question. Makes sense.

[ChrisSantiago82]

Yes, I know the answer. My question is if that is a good default behavior?
It's not mentioned anywhere in the documentation if you don't add an ability that it will have all of them.
I have started this discussion not for me. I wonder if there would not be better way to do this or if the documentation should mention this.

[macropay-solutions]

@crynobone can you please shed some light here?