check()) { $user = Auth::guard('web')->user(); Auth::setUser($user); if ($response = $this->denyUnavailableAccount($user)) { return $response; } return $next($request); } try { $sanctumUser = Auth::guard('sanctum')->user(); } catch (\InvalidArgumentException) { $sanctumUser = null; } if ($sanctumUser) { Auth::setUser($sanctumUser); if ($response = $this->denyUnavailableAccount($sanctumUser)) { return $response; } return $next($request); } $token = $request->bearerToken(); if ($token !== null && $token !== '') { try { $jwtUser = JWTAuth::setToken($token)->authenticate(); if ($jwtUser) { Auth::setUser($jwtUser); if ($response = $this->denyUnavailableAccount($jwtUser)) { return $response; } return $next($request); } } catch (JWTException $e) { // fall through } } return response()->json(['message' => 'Unauthorized.'], 401); } private function denyUnavailableAccount(object $user): ?Response { $status = strtolower(trim((string) ($user->status ?? ''))); $isVerified = filter_var($user->is_verified ?? false, FILTER_VALIDATE_BOOLEAN); $isSuspended = filter_var($user->is_suspended ?? false, FILTER_VALIDATE_BOOLEAN); if (! $isVerified || $status !== 'active' || $isSuspended) { return response()->json(['message' => 'Account unavailable.'], 403); } return null; } }