I developed a Laravel+Vue with Sanctum and deployed. On localhost works fine, I can login with my Vue form or with Laravel UI. In Heroku I get a CSRF Token mismatch error if I try to login with my Vue form; if I login with Laravel UI I get a 419 error page.
What I can note is that on my Heroku's app I haven't got any XSRF_TOKEN in my cookies, but in my localhost I have. I tried changing session driver from file to database driver as I read that in Heroku file driver doesn't work fine because of its storage system, with the same results (CSRF Token mismatch and not XSRF-TOKEN).
I also tried with http and https.
app/Http/Kernel.php in protected $middlewareGroups
// \App\Http\Middleware\VerifyCsrfToken::class,
Related
I am using Laravel Sanctum's API Tokens to authenticate requests from a React application. I don't use SPA Authentication and cookies.
For now, the Laravel sessions are managed with files.
After you login, you get a token, and with the given token, you can call APIs successfully. But if you refresh a page, even with the same token, API calls fail with 401 status code and the following message:
{
"message": "Given authorization token is not valid. Please try to login again."
}
It works fine on my localhost. It only happens on a live site, and after you refresh a page.
The Laravel backend serves only APIs, so it defines routes in api.php only. All these routes are using auth:sanctum middleware (of course, with an exception of /login route).
The following line is disabled in Kernel.php for the api middleware group:
\Laravel\Sanctum\Http\Middleware\EnsureFrontendRequestsAreStateful::class
Any thoughts on how to fix this?
I'm running into a problem using sail share with a Laravel 9.x application using Jetstream + Inertia and Sanctum.
I'm able to load my login screen at the XXXXXX.laravel-sail.site/login URL. However, I'm not able to actually login to the application.
I can see the login form post in Expose dashboard, but there is either never a response, or a 419 Page Expired error occurs (depending on which settings I'm trying, more on that below).
My local site APP_URL is set to http://localhost. The information generated by Expose is:
Shared URL: host.docker.internal:80
Dashboard: http://127.0.0.1:4040
Public HTTP: http://XXXXXXXXX.laravel-sail.site:8080
Public HTTPS: https://XXXXXXXXX.laravel-sail.site
I'm using the Public HTTP URL to access the login. The Public HTTPS URL generates ERR_CONNECTION_REFUSED.
Here is what I have tried:
Set SANCTUM_STATEFUL_DOMAINS and SESSION_DOMAIN to the Public URL in .env (This produces the 419 error). I also tried localhost but never received the POST response at login. Also tried with and without the port on SANCTUM_STATEFUL_DOMAINS.
Changed SESSION_DRIVER from database to cookie (same 419 error).
Changed 'supports_credentials' to true in config/cors.php.
Uncommented \Laravel\Sanctum\Http\Middleware\EnsureFrontendRequestsAreStateful::class in Kernel.php
Set $proxies to protected $proxies = '*'; in TrustProxies.php
Does anyone know what I'm missing?
Thanks,
Tim
I'm creating a SPA using NextJS and I have a Laravel backend for my API. To authenticate my SPA I'm using laravel sanctum.
My API is on api.domain.com and my app is on domain.com
I've set these environment variables which are relevant to this issue:
SESSION_DRIVER=cookie
SESSION_DOMAIN=.domain.com
SANCTUM_STATEFUL_DOMAINS="domain.com"
When I log in I make a request to /sanctum/csrf-cookie to get my CSRF cookie, and I can see in my following requests I am sending the X-XSRF-TOKEN header with the value from the cookie.
I'm wondering if anyone else has had a similar issue with CSRF mismatches when using sanctum on different subdomains?
OK what ended up fixing my issue is changing the name of my session cookie to something without an underscore, very weird!
I am using Laravel Sanctum for making authentication. I don't have any SPA application and I want to have Laravel Sanctum for having default authentication.
I have followed the documentation but I've got 419 error code.
If you try to logging to system with Cookie Base application you should add CSRF to your application. And you do not have to use Laravel/Sanctum package if you will not separate your application parts with wildcards. Just use sessions instead of it.
I've added "laravel/passport": "^4.0" package to my fresh install of laravel 5.5 and to consume my own API, i've added \App\Http\Middleware\CreateFreshApiToken::class middleware to the kernal.php.
Also, I've scaffolded the Auth login and registration using php artisan make:auth as well but whenever I try to login or logout it throws a TokenMismatchException and shows me 419 response view.
I checked the csrf token inside the auth forms and also xsrf token inside cookies which is set by laravel/passport package and I found that after changing route to route the token changes which is causing token miss match while logout or login.