I have developed a front (react) and a back (php laravel) with the authentication system "sanctum". All is working fine on localhost. But I can't get it to work in production in heroku.
In local environment ,my .env is (extract) :
SESSION_DRIVER=cookie
SANCTUM_STATEFUL_DOMAINS=localhost:3000,127.0.0.1:3000,localhost:8000,127.0.0.1:8000
SESSION_DOMAIN=localhost
If I have understood well, the front and back must be on the same domains for the cookies. As my back and front are hosted in heroku (herokuapp.com), I have these .env :
But with this configuration, I always have a response 419 CSRF token mismatch.
Certainly my conf is not correct. But I tried a lot of things without success.
edit :
The back url is: https://school-back-v2.herokuapp.com/
The front url is: https://react-protected-routes.herokuapp.com/
Heroku is blacklisted by browsers to use cookie if you site placed on Heroku subdomain. You can use Heroku, but must to register your own domain and use it, so that resolve this problem.
Other variant - use tokens instead cookie.
Related
I use Laravel with a Vue SPA. The application runs very well sins a half year.
Now, we need a new instance for further tests. The new instance is on the same server as the dev. I like to continue to use dev and if it works, to deploy with deployer to the test instance. So, the new root is current/public
I deployed the application. The start page (login) works. But then, the csrf request returns a 404.
I changed the .env file to the new domain. I checked it twice.
Then i searched in google for other solutions, no way.
I cleaned cache, routes and config. No better result. I checked the store in the browser. Everything looks ok. The session cookie and als the xsrf token are there.
Is it possible, that the server doesn't accept any header? It's an nginx
Actually I have no Idea to where I have to searcht....
Can't seem to work out why I keep getting CSRF token mismatch with my deployed app. On local using valet it's working fine.
The backend and frontend are on 2 different servers but they share the same subdomain so surely this should work?
My local .env contains the following:
SESSION_DOMAIN=.rss.test
SANCTUM_STATEFUL_DOMAINS=front.rss.test:3001
My live .env contains the following:
SESSION_DOMAIN=.dally.tech
SANCTUM_STATEFUL_DOMAINS=rss.dally.tech
The API is sat on the domain:
rss-api.dally.tech
Really confused why this isn't working.
I'm trying to build an app that will consume Laravel APIs and I'm trying to use Sanctum for authentication. I've check a whole bunch of videos and tutorials and one thing I've noticed is that they are all using localhost or 127.0.0.1 for demonstration purposes.
However, one thing I'm missing out is actually figuring out how to work with the domains.
In my case, I'm using Valet to serve the laravel app. And after configuring everything needed for sanctum, I'm left struggling with getting the CSRF cookie when request is sent to https://domain.test/sanctum/csrf-cookie.
In Postman I'm getting no cookies
I started going nuts, and then I tried simple php artisan serve and made a request to http://127.0.0.1:8000/sanctum/csrf-cookie and by magic I got the cookies
Any explanation why this might happen will be great.
To note, I've set SESSION_DOMAIN and SANCTUM_STATEFUL_DOMAINS in my env file to include both localhost and domain.test.
You need to add session domain in the .env file
SESSION_DOMAIN=.domain.test
[and don't forget to add . (dot) before domain]
I have a heroku app set up on a .app TLD, and a custom domain through GoDaddy.
What I would like is to have something like this:
myapp.example.com resolves to my app, and does not redirect.
What I am currently experiencing is:
myapp.example.com redirects (with a 307) to my-example-app.herokuapp.com
What I have done:
Following the Heroku guide for custom domains, I've done heroku domains:add myapp.example.com -a my-example-app and also added a cname to though the Godaddy UI for my domain.
CNAME myapp some-heroku-dns-somehash.herokudns.com
Any help, advice or pointers would be appreciated.
Edit: The 307 redirect is just due to the app redirecting to /sign-in. The issue that I am trying to resolve is using the custom domain, and not the heroku domain.
The 307 redirect is just due to the app redirecting to /sign-in.
This causes me to think that your application thinks it should build URLs using the Heroku domain instead of the custom domain.
Does your application have a place where its domain is configured? You might just need to update that setting so it can build own URLs using the proper domain.
I have an app created on Heroku and I added subdomain to it:
some.page.example.com
www.some.page.example.com
Then, according to this, I've pointed these names to proper Heroku names with my DNS provider like this:
some.page.example.com CNAME some.page.example.com.herokudns.com
www.some.page.example.com CNAME www.some.page.example.com.herokudns.com
I'd like to serve this page under http, apparently Heroku internally redirects traffic to https - it returns 301 when trying to access page via http. Of course finally it fails (e.g. ERR_SSL_PROTOCOL_ERROR in Chrome or SSL_ERROR_INTERNAL_ERROR_ALERT in Firefox), after redirecting, beacuse there is no certificate set up on this Heroku app.
How can I prevent Heroku from doing this?
P.S. What's funny, I have other site on Heroku, with root domain pointing to this, and it works like a charm. :/