I've added "laravel/passport": "^4.0" package to my fresh install of laravel 5.5 and to consume my own API, i've added \App\Http\Middleware\CreateFreshApiToken::class middleware to the kernal.php.
Also, I've scaffolded the Auth login and registration using php artisan make:auth as well but whenever I try to login or logout it throws a TokenMismatchException and shows me 419 response view.
I checked the csrf token inside the auth forms and also xsrf token inside cookies which is set by laravel/passport package and I found that after changing route to route the token changes which is causing token miss match while logout or login.
Related
I am using Laravel Sanctum's API Tokens to authenticate requests from a React application. I don't use SPA Authentication and cookies.
For now, the Laravel sessions are managed with files.
After you login, you get a token, and with the given token, you can call APIs successfully. But if you refresh a page, even with the same token, API calls fail with 401 status code and the following message:
{
"message": "Given authorization token is not valid. Please try to login again."
}
It works fine on my localhost. It only happens on a live site, and after you refresh a page.
The Laravel backend serves only APIs, so it defines routes in api.php only. All these routes are using auth:sanctum middleware (of course, with an exception of /login route).
The following line is disabled in Kernel.php for the api middleware group:
\Laravel\Sanctum\Http\Middleware\EnsureFrontendRequestsAreStateful::class
Any thoughts on how to fix this?
I am using Laravel Sanctum for making authentication. I don't have any SPA application and I want to have Laravel Sanctum for having default authentication.
I have followed the documentation but I've got 419 error code.
If you try to logging to system with Cookie Base application you should add CSRF to your application. And you do not have to use Laravel/Sanctum package if you will not separate your application parts with wildcards. Just use sessions instead of it.
I developed a Laravel+Vue with Sanctum and deployed. On localhost works fine, I can login with my Vue form or with Laravel UI. In Heroku I get a CSRF Token mismatch error if I try to login with my Vue form; if I login with Laravel UI I get a 419 error page.
What I can note is that on my Heroku's app I haven't got any XSRF_TOKEN in my cookies, but in my localhost I have. I tried changing session driver from file to database driver as I read that in Heroku file driver doesn't work fine because of its storage system, with the same results (CSRF Token mismatch and not XSRF-TOKEN).
I also tried with http and https.
app/Http/Kernel.php in protected $middlewareGroups
// \App\Http\Middleware\VerifyCsrfToken::class,
I'm getting a page expired error (er.419) when I try to login after a previous logout.
I'm working on auth pages for SPA made with Laravel and Vue.js. It works well on first login but after a logout it shows an error submitting the second one login.
I think the issue is the CSRF sent previously and (maybe) expired after logout.
My work flow is this:
login component has hidden form sent as POST method to Laravel API having the csfr-token value from an HTML META TAG set up when app is created by Laravel template:
meta name="login-status" content="{{ Auth::check() }}"
The logout is done by a fetch request in a vue component. So no refresh is done.
Thanks for any suggestion!
From the laravel docs (https://laravel.com/docs/5.8/csrf#csrf-introduction):
Laravel automatically generates a CSRF "token" for each active user session managed by the application. This token is used to verify that the authenticated user is the one actually making the requests to the application.
When you logout, you are invalidating your current session - which means that the csrf token you have cached in your meta becomes invalid.
Solution 1
Refresh the page when you successfully logout, so php can output the active csrf token into your meta tag. For example:
fetch('/api/logout', {
method: 'post'
}).then(() => {
window.location.href = '/login';
});
Solution 2
Consider using the api route middleware group. Doing so will mean the application will not trigger the App\Http\Middleware\VerifyCsrfToken middleware. Bear in mind though that you will no longer have access to the session, so you'll need to look into stateless authentication techniques such as via JWT's.
Laravel themselves even provide a package for authenticating api's. (https://laravel.com/docs/5.8/passport)
When the user logs in on the page, then deletes the authentication cookie manually from the browser and finally trying to logout, then the logout won't be possible because of mismatch token. How to handle this?
Tried to handle the mismatch token using exception handling but it doesn't work
php artisan make:auth
To logout I have used a post form and sending the CSRF token with it.