i recently developed a laravel application integrated with webmoney
webmoney use POST to callback data from gateway
i have added the specified route in $except array in VerifyCsrfToken middleware
but i cannot get the current user in that route and then i figured out user has been logged out
would you please help me fix this ?
For resolving this problem you need in config/session set SameSite to null or none
For avoiding security issue it's better to set secure to true
Related
I'm currently trying to test an SPA using Laravel 8.19.0 and Postman 7.36.1 but I keep getting an "Unauthenticated" response from a route that's guarded by "auth:sanctum", even though I have logged in correctly.
As far as I can understand, I've followed the documentation fully at https://laravel.com/docs/8.x/sanctum
in order to set Sanctum up to be used for SPA so I've done the following:
Installed Sanctum.
Published the Sanctum config.
Performed a migration.
Included the EnsureFrontendRequestsAreStateful middleware and 'EnsureFrontendRequestsAreStateful::class' to the Http Kernal.
Added my local domains (same top-level domain but 1 with the "test" sub domain and another with "api") to the "stateful domains" option in the Sanctum config file.
Set the "supports_credentials" option in the cors config to "true".
Set my top level domain, prefixed with a "." for the "domain" option in the session config.
Then, I've set Postman up using the guide at https://blog.codecourse.com/laravel-sanctum-airlock-with-postman/
so I've written a script to get the CSRF token from "/sanctum/csrf-cookie" then used said token as the value for the "X-XSRF-TOKEN" in the request header and I can succesfully log in. however, when I try to access a route afterwards that's guarded by the "auth:sanctum" guard, even with the referrer and 'X-XSRF-TOKEN' being set up in the request header I cannot access the route.
After debugging, I can see that $this->auth->guard($guard)->check() is returning false in the authenticate($request, array $guards) method where $guard = "sanctum" in \vendor\laravel\framework\src\Illuminate\Auth\Middleware\Authenticate.php on line 63 because $this->user() is null for the Illuminate\Auth\RequestGuard instance.
Any help or even ideas on things to check would be greatly appreciated as I'm unsure on what to do from here, short of spending a day digging deeper into the request guard object and its instantiation!
Thanks.
The issue a lot folk are seeing when using Postman with Sanctum SPA authentication is that you simply need to add an additional header to your requests, This can be "Referrer" or "Origin" and the value must match the domains set in the sanctum.php config file. e.g. localhost or mysite.test etc.
vendor/laravel/sanctum/src/Http/Middleware/EnsureFrontendRequestsAreStatefull.php in the fromFrontEnd() method is where you can see this requirement. Laravel V8.x and I believe also in Laravel V7.x
Issue has since been resolved and was caused by Postman only saving the "XSRF-TOKEN" and "laravel_session" cookies to the "test" subdomain after logging in (the login URL used this sub domain) and thus not passing them to the "api" subdomain when trying to access the route which was protected by "auth:sanctum". By adding the same cookies to the "api" subdomain via the "Manage Cookies" menu in Postman, the route can now be accessed as intended.
I'm trying to implement a domain wide authentication (DWA) on top of the usual user authentication. The use case is prevent a work-in-progress site from leaking to google/public.
Created scaffolding code using php artisan make:auth
Log in via /login and is redirect to /home which shows the default You are logged in!
When I reload /home, I see that $this->session->id in SessionGuard.php has an ID value which I will refer to as A, the session also has 5 attributes.
Next, I insert the auth middleware into the route /product/{id} and load it
I see that $this->session->id in SessionGuard.php has a brand new ID with 0 attributes
This causes authenticate() in Authenticate.php middleware to throw an Unauthenticated exception and redirect me to /login
As the browser loads /login, $this->session->id in SessionGuard.php now shows the ID of A with the earlier 5 attributes
/login results in RedirectIfAuthenticated.php middleware running and redirecting to /home
As a result of the DWA, I'm unable to load /product/{id}, it just keeps redirecting me to /home
My question is, why does #5 show a new session ID instead of A?
Where and how is this ID derived in the first place?
Thanks!
I found the solution Problems of routes in own package- Laravel 5.6
It was due to my controller having only the auth but lacking the web middleware. Hope it helps someone.
Eloquent: API Resources
I am Trying to Crud a table using POSTMAN and laravel Api Resources. ]
Although using get method i can get all the data. When i use delete or post method, it returns an error of session expired.
Thanks in advance.Image Of POSTMAN
Image of routes
Sounds like you're missing the CRSF token, which would explain why HTTP GET's are working. One option to work around this is to disable the CSRF middleware when working in your development environment. Simplest solution is to open up app/Http/Middleware/VerifyCsrfToken.php and set:
protected $except = [
'*',
];
The * is a wildcard-like option that will disable CSRF verification for all routes. Obviously ideal solution would to be to disable it on a higher level only when working on local development, but the provided answer is a quick solution.
See the Laravel documentation on CSRF Excluding URI's
Sorry for the trouble. I found the problem,actually i was posting the routes in web.php instead of api.php . That was why i was getting the errors. Thankyou for the concern.
How do I enable login throttling in Laravel 5.3?
Should it be enabled by default?
Where can it be configured?
I could not find anything in the config files. I use ldap auth with adldap library.
Simple.
In .env, If CACHE_DRIVER is set to array, it won't work.
Set CACHE_DRIVER to file for example.
According to the documentation:
If you are using Laravel's built-in LoginController class, the Illuminate\Foundation\Auth\ThrottlesLogins trait will already be included in your controller. By default, the user will not be able to login for one minute if they fail to provide the correct credentials after several attempts
laravel 5.2 session not persist after route change,
I have not used any middleware. session returns all values in controller when i put session but it forgets when redirect to another route.
here is my routes
Route::auth();
Route::get('login','LoginController#login');
Route::post('login','LoginController#check');
Route::get('/','HomeController#index');
Route::post('school/store','HomeController#store');
In Laravel 5.2, everything need to be given a web middleware in order to use cookies or sessions. It is not mentioned in Laravel upgrade guide though.
https://mattstauffer.co/blog/middleware-groups-in-laravel-5-2
https://github.com/laravel/framework/issues/13000