[ EncryptCookies::class, AddQueuedCookiesToResponse::class, StartSession::class, AuthenticateSession::class, ShareErrorsFromSession::class, VerifyCsrfToken::class, SubstituteBindings::class, LanguageMiddleware::class, RequireTwoFactorAuthentication::class, ], 'api' => [ IsValidJson::class, EnsureFrontendRequestsAreStateful::class, 'auth:sanctum', SubstituteApplicationApiBindings::class, PreventUnboundModels::class, AuthenticateApplicationUser::class, RequireTwoFactorAuthentication::class, ], 'client-api' => [ IsValidJson::class, EnsureFrontendRequestsAreStateful::class, 'auth:sanctum', SubstituteClientApiBindings::class, PreventUnboundModels::class, // This is perhaps a little backwards with the Client API, but logically you'd be unable // to create/get an API key without first enabling 2FA on the account, so I suppose in the // end it makes sense. // // You just wouldn't be authenticating with the API by providing a 2FA token. RequireTwoFactorAuthentication::class, ], 'daemon' => [ SubstituteBindings::class, DaemonAuthenticate::class, ], ]; /** * The application's route middleware. * * @var array */ protected $routeMiddleware = [ 'auth' => Authenticate::class, 'auth.basic' => AuthenticateWithBasicAuth::class, 'guest' => RedirectIfAuthenticated::class, 'admin' => AdminAuthenticate::class, 'csrf' => VerifyCsrfToken::class, 'throttle' => ThrottleRequests::class, 'can' => Authorize::class, 'bindings' => SubstituteBindings::class, 'recaptcha' => VerifyReCaptcha::class, 'node.maintenance' => MaintenanceMiddleware::class, ]; }