[Improvements] Prevent session creation when the request is coming from Token based Auth

src/Illuminate/Session/Middleware.php

@@ -59,10 +59,16 @@ public function handle(Request $request, $type = HttpKernelInterface::MAIN_REQUE
     {
 		$this->checkRequestForArraySessions($request);
 
-		// If a session driver has been configured, we will need to start the session here
+        // Check if this request is coming from web based auth
+        $isFromWebBasedAuth = $this->isRequestFromWebBasedAuth($request);
+
+        // If a session driver has been configured, we will need to start the session here
 		// so that the data is ready for an application. Note that the Laravel sessions
 		// do not make use of PHP "native" sessions in any way since they are crappy.
-		if ($this->sessionConfigured())
+
+        // this api has been modified to prevent request from API starting the
+        // session, and saving the session as we don't need user session here
+		if ($isFromWebBasedAuth && $this->sessionConfigured())
 		{
 			$session = $this->startSession($request);
 
@@ -74,7 +80,10 @@ public function handle(Request $request, $type = HttpKernelInterface::MAIN_REQUE
 		// Again, if the session has been configured we will need to close out the session
 		// so that the attributes may be persisted to some storage medium. We will also
 		// add the session identifier cookie to the application response headers now.
-		if ($this->sessionConfigured())
+
+        // this api has been modified to prevent request from API starting the
+        // session, and saving the session as we don't need user at backend side here
+		if ($isFromWebBasedAuth && $this->sessionConfigured())
 		{
             $this->storeCurrentUrl($request, $session);
 			$this->closeSession($session);
@@ -85,6 +94,17 @@ public function handle(Request $request, $type = HttpKernelInterface::MAIN_REQUE
 		return $response;
 	}
 
+    private function isRequestFromWebBasedAuth(Request $request): bool
+    {
+        $currentPath = $request->getRequestUri();
+        $authorizationHeader = $request->headers->get('Authorization');
+        $isFromTokenBasedAuthentication =
+            (!empty($authorizationHeader) && preg_match("/(Basic|Bearer) .+/", $authorizationHeader)) ||
+            starts_with($currentPath, '/api/v1/oauth/');
+
+        return !$isFromTokenBasedAuthentication;
+    }
+
 	/**
 	 * Check the request and reject callback for array sessions.
 	 *

tests/Session/SessionMiddlewareTest.php

@@ -69,6 +69,66 @@ public function testSessionIsNotUsedWhenNoDriver()
 		$this->assertSame($response, $middleResponse);
 	}
 
+    public function testSessionIsNotUsedWhenRequestHasValidAuthorizationHeader(): void
+    {
+        $request = Symfony\Component\HttpFoundation\Request::create('http://www.foo.com/api/some-api', 'GET', server: [
+            'HTTP_AUTHORIZATION' => 'Bearer 1234567890',
+        ]);
+        $response = new Symfony\Component\HttpFoundation\Response;
+
+        $middle = new Illuminate\Session\Middleware(
+            $app = m::mock(HttpKernelInterface::class),
+            $manager = m::mock(SessionManager::class)
+        );
+
+        $manager->shouldNotReceive('getSessionConfig');
+
+        $manager->shouldReceive('driver')->andReturn($driver = m::mock(Store::class)->makePartial());
+        $driver->shouldNotReceive('setRequestOnHandler');
+        $driver->shouldNotReceive('start');
+        $app->shouldReceive('handle')->once()->with($request, Symfony\Component\HttpKernel\HttpKernelInterface::MAIN_REQUEST, true)->andReturn($response);
+        $driver->shouldNotReceive('save');
+        $driver->shouldNotReceive('getHandler');
+        $driver->shouldNotReceive('getName')->andReturn('name');
+        $driver->shouldNotReceive('getId')->andReturn(1);
+        $driver->shouldNotReceive('setPreviousUrl');
+
+        $middleResponse = $middle->handle($request);
+
+        self::assertSame($response, $middleResponse);
+        self::assertCount(0, $response->headers->getCookies());
+    }
+
+
+
+    public function testSessionIsNotUsedWhenRequestFromOauthApi(): void
+    {
+        $request = Symfony\Component\HttpFoundation\Request::create('http://www.foo.com/api/v1/oauth/token', 'POST');
+        $response = new Symfony\Component\HttpFoundation\Response;
+
+        $middle = new Illuminate\Session\Middleware(
+            $app = m::mock(HttpKernelInterface::class),
+            $manager = m::mock(SessionManager::class)
+        );
+
+        $manager->shouldNotReceive('getSessionConfig');
+
+        $manager->shouldReceive('driver')->andReturn($driver = m::mock(Store::class)->makePartial());
+        $driver->shouldNotReceive('setRequestOnHandler');
+        $driver->shouldNotReceive('start');
+        $app->shouldReceive('handle')->once()->with($request, Symfony\Component\HttpKernel\HttpKernelInterface::MAIN_REQUEST, true)->andReturn($response);
+        $driver->shouldNotReceive('save');
+        $driver->shouldNotReceive('getHandler');
+        $driver->shouldNotReceive('getName')->andReturn('name');
+        $driver->shouldNotReceive('getId')->andReturn(1);
+        $driver->shouldNotReceive('setPreviousUrl');
+
+        $middleResponse = $middle->handle($request);
+
+        self::assertSame($response, $middleResponse);
+        self::assertCount(0, $response->headers->getCookies());
+    }
+
 
 	public function testCheckingForRequestUsingArraySessions()
 	{