Laravelのミドルウェアの実行順とAuthファサードについて

前提

Laravelの自作ミドルウェアで認証済みのユーザーIDをログとして出力したいと考えています。
ミドルウェアの追加した場所によってユーザーIDが取得できたりできなかったりするので、詳細を教えていただきたいです。

自作したミドルウェア

php:app/Http/AccessLogger.php
1<?php
2
3namespace App\Http\Middleware;
4
5use Closure;
6use Illuminate\Http\Request;
7use Illuminate\Support\Facades\Auth;
8use Illuminate\Support\Facades\Log;
9
10
11class AccessLogger
12{
13    /**
14     * Handle an incoming request.
15     *
16     * @param  \Illuminate\Http\Request  $request
17     * @param  \Closure(\Illuminate\Http\Request): (\Illuminate\Http\Response|\Illuminate\Http\RedirectResponse)  $next
18     * @return \Illuminate\Http\Response|\Illuminate\Http\RedirectResponse
19     */
20    public function handle(Request $request, Closure $next)
21    {
22        Log::info('userId:' . Auth::id());
23 
24        return $next($request);
25    }
26}

ミドルウェアの登録（idが取得できないパターン）

php:app/Http/Kernel.php
1<?php
2
3namespace App\Http;
4
5use Illuminate\Foundation\Http\Kernel as HttpKernel;
6
7class Kernel extends HttpKernel
8{
9    /**
10     * The application's global HTTP middleware stack.
11     *
12     * These middleware are run during every request to your application.
13     *
14     * @var array<int, class-string|string>
15     */
16    protected $middleware = [
17        // \App\Http\Middleware\TrustHosts::class,
18        \App\Http\Middleware\TrustProxies::class,
19        \Illuminate\Http\Middleware\HandleCors::class,
20        \App\Http\Middleware\PreventRequestsDuringMaintenance::class,
21        \Illuminate\Foundation\Http\Middleware\ValidatePostSize::class,
22        \App\Http\Middleware\TrimStrings::class,
23        \Illuminate\Foundation\Http\Middleware\ConvertEmptyStringsToNull::class,
24    ];
25
26    /**
27     * The application's route middleware groups.
28     *
29     * @var array<string, array<int, class-string|string>>
30     */
31    protected $middlewareGroups = [
32        'web' => [
33            \App\Http\Middleware\EncryptCookies::class,
34            \Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse::class,
35            \Illuminate\Session\Middleware\StartSession::class,
36            \Illuminate\View\Middleware\ShareErrorsFromSession::class,
37            \App\Http\Middleware\VerifyCsrfToken::class,
38            \App\Http\Middleware\AccessLogger::class,   // 追加
39            \Illuminate\Routing\Middleware\SubstituteBindings::class,
40        ],
41
42        'api' => [
43            // \Laravel\Sanctum\Http\Middleware\EnsureFrontendRequestsAreStateful::class,
44            'throttle:api',
45            \Illuminate\Routing\Middleware\SubstituteBindings::class,
46        ],
47    ];
48
49    /**
50     * The application's route middleware.
51     *
52     * These middleware may be assigned to groups or used individually.
53     *
54     * @var array<string, class-string|string>
55     */
56    protected $routeMiddleware = [
57        'auth' => \App\Http\Middleware\Authenticate::class,
58        'auth.basic' => \Illuminate\Auth\Middleware\AuthenticateWithBasicAuth::class,
59        'auth.session' => \Illuminate\Session\Middleware\AuthenticateSession::class,
60        'cache.headers' => \Illuminate\Http\Middleware\SetCacheHeaders::class,
61        'can' => \Illuminate\Auth\Middleware\Authorize::class,
62        'guest' => \App\Http\Middleware\RedirectIfAuthenticated::class,
63        'password.confirm' => \Illuminate\Auth\Middleware\RequirePassword::class,
64        'signed' => \App\Http\Middleware\ValidateSignature::class,
65        'throttle' => \Illuminate\Routing\Middleware\ThrottleRequests::class,
66        'verified' => \Illuminate\Auth\Middleware\EnsureEmailIsVerified::class,
67    ];
68}

ログ出力結果

[2022-11-11 02:45:38] local.INFO: userId:

ミドルウェアの登録（idが取得できるパターン）

php:app/Http/Kernel.php
1<?php
2
3namespace App\Http;
4
5use Illuminate\Foundation\Http\Kernel as HttpKernel;
6
7class Kernel extends HttpKernel
8{
9    /**
10     * The application's global HTTP middleware stack.
11     *
12     * These middleware are run during every request to your application.
13     *
14     * @var array<int, class-string|string>
15     */
16    protected $middleware = [
17        // \App\Http\Middleware\TrustHosts::class,
18        \App\Http\Middleware\TrustProxies::class,
19        \Illuminate\Http\Middleware\HandleCors::class,
20        \App\Http\Middleware\PreventRequestsDuringMaintenance::class,
21        \Illuminate\Foundation\Http\Middleware\ValidatePostSize::class,
22        \App\Http\Middleware\TrimStrings::class,
23        \Illuminate\Foundation\Http\Middleware\ConvertEmptyStringsToNull::class,
24    ];
25
26    /**
27     * The application's route middleware groups.
28     *
29     * @var array<string, array<int, class-string|string>>
30     */
31    protected $middlewareGroups = [
32        'web' => [
33            \App\Http\Middleware\EncryptCookies::class,
34            \Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse::class,
35            \Illuminate\Session\Middleware\StartSession::class,
36            \Illuminate\View\Middleware\ShareErrorsFromSession::class,
37            \App\Http\Middleware\VerifyCsrfToken::class,
38            \Illuminate\Routing\Middleware\SubstituteBindings::class,
39            \App\Http\Middleware\AccessLogger::class,   // 追加
40        ],
41
42        'api' => [
43            // \Laravel\Sanctum\Http\Middleware\EnsureFrontendRequestsAreStateful::class,
44            'throttle:api',
45            \Illuminate\Routing\Middleware\SubstituteBindings::class,
46        ],
47    ];
48
49    /**
50     * The application's route middleware.
51     *
52     * These middleware may be assigned to groups or used individually.
53     *
54     * @var array<string, class-string|string>
55     */
56    protected $routeMiddleware = [
57        'auth' => \App\Http\Middleware\Authenticate::class,
58        'auth.basic' => \Illuminate\Auth\Middleware\AuthenticateWithBasicAuth::class,
59        'auth.session' => \Illuminate\Session\Middleware\AuthenticateSession::class,
60        'cache.headers' => \Illuminate\Http\Middleware\SetCacheHeaders::class,
61        'can' => \Illuminate\Auth\Middleware\Authorize::class,
62        'guest' => \App\Http\Middleware\RedirectIfAuthenticated::class,
63        'password.confirm' => \Illuminate\Auth\Middleware\RequirePassword::class,
64        'signed' => \App\Http\Middleware\ValidateSignature::class,
65        'throttle' => \Illuminate\Routing\Middleware\ThrottleRequests::class,
66        'verified' => \Illuminate\Auth\Middleware\EnsureEmailIsVerified::class,
67    ];
68}

ログ出力結果

[2022-11-11 02:46:12] local.INFO: userId:1

AccessLoggerをSubstituteBindingsより前に登録するとユーザーIDが取得できず、後に登録するとユーザーIDが取得できます。
何度か試しましたが結果は同じでした。

お聞きしたいこと

お聞きしたいのは2点です。

$middlewarePriorityを設定しない場合、$middlewareGroups内の実行順は記述した順なのか
SubstituteBindingsでAuthにユーザー情報が設定されるのか

どうぞよろしくお願いします。

補足情報（FW/ツールのバージョンなど）

Laravel Sailを利用しており、Laravelのバージョンはv9.36.4です。

行動規範の内容に同意します

回答1件

試したけど結果が変わるのはStartSessionの前か後かの場合。

一番確実なのはリクエスト処理の後に実行。これならどこに書いても同じ。

php
1    public function handle(Request $request, Closure $next)
2    {
3        $response = $next($request);
4        
5        Log::info('userId:' . Auth::id());
6
7        return $response;
8    }

投稿2022/11/11 04:45

退会済みユーザー

総合スコア0

irithyll

2022/11/11 05:44

ご協力ありがとうございます。私も最初StartSessionが怪しいと思い、その前後でAccessLoggerの挙動を確認したのですが、どちらもユーザーIDが取得できませんでした。私の環境とは違う結果ですね。となると、$middlewarePriorityを設定しない場合、ミドルウェアの実行順は不定ということになるでしょうか。すみません、ユーザーIDはコントローラーの処理の前に出力したいのです。

行動規範の内容に同意します