I'm trying to create a single page app with Laravel/Passport as the API backend. To sign up, I create my user as usual, then use Passport's ApiTokenCookieFactory to generate my JWT cookie like so:
// api_success is a response macro
return $this->response->api_success('User successfully created')
->withCookie($this->cookie->make($newUser->getModel()->getKey(), $request->header('X-CSRF-TOKEN')));
You can assume that $this->cookie is the container's resolved cookie factory. This all works fine and I get a laravel_token cookie with the JWT.
When I go to make a request though, for example to api/users/me, I get this response:
{
"error": "Unauthenticated."
}
I'm sending the CSRF token, I'm setting X-Requested-With to XMLHttpRequest, and the cookie is being sent along with the request.
The /api/users/me route has the api:auth middleware, so I'm at a loss as to what I'm doing wrong. If anyone has any suggestions they'd be greatly appreciated <3
I've solved the issue I was having, if anyone gets here in the future, note that cookies are not encrypted by default!! Make sure to either add the encrypt cookies middleware to your route, or encrypt cookies manually. My god I was so happy when I figured this out. It turns out that the passport guard was trying to decrypt my unencrypted cookie and silently (!!) failing.
Related
I was reading document, and one question occurred. Why would we need to call this endpoint /sanctum/csrf-cookie to get CSRF protection when login?
I understand what CSRF is, and per my understanding, the practice that Laravel uses to prevent CSRF is to set a cookie xsrf-token on browser and then Angular or some framework would automatically attach the cookie to header as x-xsrf-token, and it's also called server side double submit as one of the practices to prevent CSRF
However, I just don't get why on Laravel Sanctum we have to manually call /sanctum/csrf-cookie before login. With Web guard, this protection is automatic after login without any manual work before login.
My question is what is the benefit or logic for calling /sanctum/csrf-cookie before login rather than automatically sending x-csrf-cookie to browser via response after login?
Anyone could help to further explain will be so much appreciated.
I'm creating a SPA using NextJS and I have a Laravel backend for my API. To authenticate my SPA I'm using laravel sanctum.
My API is on api.domain.com and my app is on domain.com
I've set these environment variables which are relevant to this issue:
SESSION_DRIVER=cookie
SESSION_DOMAIN=.domain.com
SANCTUM_STATEFUL_DOMAINS="domain.com"
When I log in I make a request to /sanctum/csrf-cookie to get my CSRF cookie, and I can see in my following requests I am sending the X-XSRF-TOKEN header with the value from the cookie.
I'm wondering if anyone else has had a similar issue with CSRF mismatches when using sanctum on different subdomains?
OK what ended up fixing my issue is changing the name of my session cookie to something without an underscore, very weird!
I am using Laravel 5.8 with Passport 7.2 for building API for my application. I am using password_grant for authentication.
I have created everything from registration to login and everything seems to function properly. I am able to get access_token and refresh_token and to access routes that has middleware auth:api attached.
In my routes i have this:
Route::group(['middleware' => ['auth:api']], function () {
...
Route::get('test', function (Request $request) {
return $request->user();
});
...
});
When i call this /api/test URL with header Authorization: Bearer access_token i am getting currently authenticated user. That just works fine.
I am testing these endpoints with Postman, but everything is same if i test this using javascript from browser.
The problem is when i have two different access_token from two different users. If i call this URL with one access_token i get correct user data as response and if i wait for few seconds and call same URL with second access_token i get correct second user data as response. But if i call this URL two times with these two access_tokens at same time (call first and for example after half second call second) i get first call user data as response in both requests.
I hope you can understand what is problem.
Could this be caching problem, or maybe session problem (even if api is stateless)?
If you need more informations just tell me.
Firstly i thought it was browser cache issue, but it is same in postman. I have also tried to use Google Chrome for one request and Mozilla for second and everything is same.
If you have any idea about what could be wrong i will appreciate it :D
I have found a solution. It is not Laravel or Passport problem.
The problem was:
on my server we have Nginx and https://engintron.com/ configured and this Engintron has some micro-caching mechanism.
This micro-cache could be completely disabled or can be disabled with headers in request (Cache-Control: private).
Micro-cache is caching GET request to URL for 1 second and ignoring different Authorization headers. That's why i get same user data for two different Authorization headers if i make these two requests in under 1 second period.
I hope this will help someone else in future. If somebody need more info do not hesitate to contact me :D
I've gone through the entire page of documentation and as far as I can tell I have everything set up exactly as the documentation states. However, when I attempt to make a GET request to /api/users it always returns a 401 Unauthorized.
If I inspect the request, I see that the laravel_token is indeed being passed along with the request, as well as CSRF.
At this point, I'm not really sure why it's always failing to authenticate, but it's pretty frustrating and I'm sure it's something minor that I'm overlooking somehow.
I'm using Laravel 5.7.5.
Configuration steps done:
Ran php artisan passport:install
Added trait to User model
Added Passport::routes() to AuthServiceProvider::boot()
Changed API driver to passport in config/auth.php
Added CreateFreshApiToken::class to web middleware
After a lot of digging, I finally figured out what my issue was.
In version 5.6 and later of Laravel, cookies are no longer serialized/unserialized. However, Passport still expects that the cookies are serialized. Neither the documentation for Laravel or Passport point this out, and hopefully they'll get more in sync so this isn't an issue.
To fix this, you just need to add Passport::withoutCookieSerialization(); to app\Providers\AuthServiceProvider::boot()
Can someone assist me here, i have succeeded in setting up my passport on laravel 5.4 everything seems to work perfected. My question is once token is generated, am i supposed to save it for subsequent usage? i am just confused on the workflow. I am using password grant. I want to know how to pass token to another route that is making another call to another endpoint once token has been generated.
You append the token generated for each and every subsequent request that needs to be authenticated.In this case attach to the Authorization header of the request. Something like this:
Bearer eJ0eXAiOi.......