Working on a responsive site and having trouble with VerifyCsrfToken middleware on Laravel 5.
Front-end is built on AngularJS and Laravel is serving the application.
On desktop, when I make a request to the API on Laravel, token from front-end request header is matching the token on Laravel session, so I get access to the API. However, on iPhone, these don't match.
I added some log statements to the Illuminate\Foundation\Http\Middleware\VerifyCsrfToken PHP class, so I check what's being passed to the class.
Server log when requested from desktop:
[2015-03-04 18:18:07] local.INFO: request header token:
MVQ7u5fkjBTMRsM0GyOX0wuBcRwYMnWVsKDceQZ7
[2015-03-04 18:18:07] local.INFO: session token: MVQ7u5fkjBTMRsM0GyOX0wuBcRwYMnWVsKDceQZ7
Server log when requested from iPhone:
[2015-03-04 18:17:25] local.INFO: request header token:
hDIiwrPiM9r5XI6QPPp1DIvp6s7gqGDk5gg9Dqus
[2015-03-04 18:17:25] local.INFO: session token:
GvxO0zpTJzJsZ32hX5HHPtMxf7ex1bFEtmUWMlyV
[2015-03-04 18:17:25] local.ERROR: exception 'Illuminate\Session\TokenMismatchException' in /home/planmons/laravel/tennis/storage/framework/compiled.php:2410
This doesn't happen on XCode iOS Simulator, but only on the device.
I have no idea where to look/investigate further, so I will appreciate any help on this.
Thanks!
It may not be the same cause like your problem, but i found out that disabled cookies in the iOS browser will disable the possibility to have a session with PHP/Laravel5. Because of this the CsrfToken will be calculated new for the request, in our case POST /auth/login.
I solved this partially with a Middleware, that checks if a Session-Cookie is set when using POST/PUT/DELETE.
Related
I have created an app on laravel and vue.js and for the authentication process, I have used the laravel-shopify package. right now when the Axios call duration is long that time gets a session token expired error. I have already referred this solution but this was not worked for me.
Shopify App-bridge session token is having some issues while working with the vue.js and Axios?
Please check attached documents, please check.
video:- https://drive.google.com/file/d/1US2dzgcPWm6iQcK4SMS4b6q85q9l89Mx/view?usp=sharing
When I have passed many files to Axios, I don't want to get expire token error. Does anyone have a solution for this?
I am using Laravel Sanctum's API Tokens to authenticate requests from a React application. I don't use SPA Authentication and cookies.
For now, the Laravel sessions are managed with files.
After you login, you get a token, and with the given token, you can call APIs successfully. But if you refresh a page, even with the same token, API calls fail with 401 status code and the following message:
{
"message": "Given authorization token is not valid. Please try to login again."
}
It works fine on my localhost. It only happens on a live site, and after you refresh a page.
The Laravel backend serves only APIs, so it defines routes in api.php only. All these routes are using auth:sanctum middleware (of course, with an exception of /login route).
The following line is disabled in Kernel.php for the api middleware group:
\Laravel\Sanctum\Http\Middleware\EnsureFrontendRequestsAreStateful::class
Any thoughts on how to fix this?
I'm creating a SPA using NextJS and I have a Laravel backend for my API. To authenticate my SPA I'm using laravel sanctum.
My API is on api.domain.com and my app is on domain.com
I've set these environment variables which are relevant to this issue:
SESSION_DRIVER=cookie
SESSION_DOMAIN=.domain.com
SANCTUM_STATEFUL_DOMAINS="domain.com"
When I log in I make a request to /sanctum/csrf-cookie to get my CSRF cookie, and I can see in my following requests I am sending the X-XSRF-TOKEN header with the value from the cookie.
I'm wondering if anyone else has had a similar issue with CSRF mismatches when using sanctum on different subdomains?
OK what ended up fixing my issue is changing the name of my session cookie to something without an underscore, very weird!
I've been trying to get authentication working (described below) in my laravel application, following these two tutorials:
https://auth0.com/docs/quickstart/webapp/laravel/01-login
https://auth0.com/docs/quickstart/backend/laravel/01-authorization
On the frontend (angular app):
User clicks log in button and taken to auth0 login page
The user logs in and is redirected back to the callback with the accessToken
The access token is stored on the frontend and passed to Laravel API each request.
On the backend:
User makes a request to my http://localhost/api/route passing the accessToken in the authorisation header
Laravel validates the user is logged in and valid.
Laravel allows access to that route
It works to an extend, but when I try to use postman to access the protected route by passing the accessToken I get the error:
"message": "We can't trust on a token issued by: https://myprojectname.au.auth0.com/."
Is my workflow correct? What am I missing?
Thanks!
Just in case if somebody facing with the same issue. The authorized_iss must contain a trailing slash.
In the laravel-auth0.php file the field,
'authorized_issuers' => 'https://myprojectname.au.auth0.com/'
should be in this form.
Trying to send post request via curl to my laravel app.
Getting TokenMismatchException exception.
It is a post from one app to another so adding a token on a view is not an option.
There is a default csrf filter available with Laravel. Can you print out php artisan routes to see if the route you want to access is protected by that filter?
If you want to access this route in production you might want to create a custom filter that checks for, or a csrf token, or a custom header that includes a secret.
Read CSRF Protection under http://laravel.com/docs/security#protecting-routes.
More info on CSRF on the wikipedia page.