[Sancutm]AuthenticateSession middleware skip validation for non-default guards？

[gavinliu6]

Assume that there are multiple guards configured in config('sanctum.guard') (e.g. ['web', 'admin']).

I've run into what looks like inconsistent behaviour and would like to confirm whether it’s intentional or a bug.

Expected behaviour

For any request that has a session and an authenticated user (from any of the configured guards), the middleware should:

Validate the session by comparing the stored password hash with the current user’s password.
Invalidate the session (and log the user out) when the hashes don’t match (e.g. after a password change).

What I’m seeing

At the start of handle(), the middleware does:

namespace Laravel\Sanctum\Http\Middleware;

class AuthenticateSession
{
    /**
     * Handle an incoming request.
     *
     * @param  \Closure(\Illuminate\Http\Request): (\Symfony\Component\HttpFoundation\Response)  $next
     *
     * @throws \Illuminate\Auth\AuthenticationException
     */
    public function handle(Request $request, Closure $next): Response
    {
        if (! $request->hasSession() || ! $request->user()) {
            return $next($request);
        }

        // ...
    }
}

$request->user() with no arguments uses the default auth guard. So when the user is logged in via a non-default guard (e.g. admin while the default is web), $request->user() can be null. In that case the condition is true and the middleware returns $next($request) immediately. As a result:

No password-hash validation runs for that user.
The “invalidate session when password changes” behaviour never applies to users authenticated via non-default guards.
So with multiple guards in sanctum.guard, only the default guard’s authenticated user gets this protection; others effectively bypass the middleware logic.

Question

Is this the intended design (e.g. “AuthenticateSession only applies to the default guard”), or is it a bug? If it’s intentional, why?

[benjdiasaad]

This looks more like a bug / limitation than intentional multi-guard support to me.

From the code path you quoted, the early return depends on:

if (! $request->hasSession() || ! $request->user()) {
    return $next($request);
}