How to authenticate user without auth:api middleware in laravel 5.3?

You can pass the guard to your method to check if the user is logged in with a particular guard.

$request->user('api');

EDIT

I just want to extend my original answer.

Using $request->user() is exactly the same as using \Auth::user().

When you retrieve the authenticated user, Laravel will default the guard from your config file auth.defaults.guard (web in a fresh install).

So when you called $request->user() it was actually $request->user('web').

When you use auth:api, Laravel will then use the api guard as the default.

That's why it worked when using auth:api but didn't when using default guard.

To solve your issue, you can either call $request->user('api') if you have an Illuminate\Http\Request instance or directly \Auth::guard('api')->user() using the Auth facade.

You are using auth:api so I assume you are talking JSON request. Access token usually sits in the header of your request, so you can just check it like this

public function timeline(Request $request) {
    if ( $request->has('access_token') || $request->header('access_token') ) {
        $user = Auth::guard('api')->user();
    }

    ...
}

I don't have the time to dig in the code, but you can look at the auth:api middleware. There you will find how the authentication process works. If you haven't found a thing let me know and I'll look into it tonight and improve my answer.

In the file Laravel\Passport\Http\Middleware\CheckClientCredentials you will find this:

<?php

namespace Laravel\Passport\Http\Middleware;

use Closure;
use League\OAuth2\Server\ResourceServer;
use Illuminate\Auth\AuthenticationException;
use League\OAuth2\Server\Exception\OAuthServerException;
use Symfony\Bridge\PsrHttpMessage\Factory\DiactorosFactory;

class CheckClientCredentials
{
    /**
     * The Resource Server instance.
     *
     * @var ResourceServer
     */
    private $server;

    /**
     * Create a new middleware instance.
     *
     * @param  ResourceServer  $server
     * @return void
     */
    public function __construct(ResourceServer $server)
    {
        $this->server = $server;
    }

    /**
     * Handle an incoming request.
     *
     * @param  \Illuminate\Http\Request $request
     * @param  \Closure $next
     * @return mixed
     *
     * @throws \Illuminate\Auth\AuthenticationException
     */
    public function handle($request, Closure $next, ...$scopes)
    {
        $psr = (new DiactorosFactory)->createRequest($request);

        try{
            $psr = $this->server->validateAuthenticatedRequest($psr);
        } catch (OAuthServerException $e) {
            throw new AuthenticationException;
        }

        foreach ($scopes as $scope) {
           if (!in_array($scope,$psr->getAttribute('oauth_scopes'))) {
             throw new AuthenticationException;
           }
         }

        return $next($request);
    }
} 

When you dig deeper you will see that the request gets validated here League\OAuth2\Server\RecourceServer.php. My guess is that you will find your answer there