Laravel 5 geting InvalidStateException in AbstractProvider.php

Question

I am trying to use login with facebook in laravel 5 using Socialize.

Here is my route file code.

Route::get('fb', function ($facebook = "facebook")
{
    $provider = \Socialize::with($facebook);      
    if (Input::has('code'))
    {
        $user = $provider->user();
        return var_dump($user);
    } else {
        return $provider->scopes(['public_profile','user_friends'])->redirect();
    }
});

login is success and I get the code but time of get $provider->user() I get the error.

InvalidStateException in AbstractProvider.php line 161

Answer 1

It work on my website , just call ->stateless() before get user

Socialite::driver('facebook')->stateless()->user()
Socialite::driver('google')->stateless()->user()

Answer 2

Make sure, that a query string with url parameters (code and state) are passed to the fpm/mod_php:

# AbstractProvider.php, line 242
...
protected function hasInvalidState()
{
    if ($this->isStateless()) {
        return false;
    }
    --> dd($this->request); <--
    $state = $this->request->session()->pull('state');

    return ! (strlen($state) > 0 && $this->request->input('state') === $state);
}
...

Find an example of nginx configuration below, that proxies $args variable to the application:

# example.com.conf
location / {
    try_files $uri $uri/ /index.php?$args;
}

Make sure, that parameter QUERY_STRING is set in fastcgi_params file:

# /etc/nginx/includes/fastcgi_params
...
fastcgi_param QUERY_STRING          $args;
...

# example.com.conf
location ~ \.php$ {
    fastcgi_pass fpm:9000;
    fastcgi_index index.php;
    ...
    include /etc/nginx/includes/fastcgi_params;
    ...
}

Answer 3

I know this post is a little old but I kept hitting it while searching for a possible answer.

I had the same error but my solution was a little different.

I develop on Ubuntu 18.04 desktop since it is a server with a GUI. Socialite works great locally but as soon as I pushed/pulled the changes through git to the server, it quit.

I was running traces by recording what was sent to and from google. I "dd($_GET)" to get a raw dump before Socialite had a chance to get the info so I knew what was stored and ready for use. All info was there but Socialite didn't seem to "see" it. That is when I reasoned it was my apache2 header configuration interfering with the cookies/session data.

I had set header security in my apache2 configs. One of the settings was

Header always edit Set-Cookie ^(.*) "$1;HttpOnly;Secure;SameSite=Strict"

This setting was interfering with the cookie information that socialite needed. I removed that setting from my apache2 header config(by commenting out) and restarted Apache. Finally I removed all sessions in storage/framework/session/* and cleared them from my browser just to be sure. That worked for me.

After I got it working, one by one enabled and tested each of the following settings to have the framework secure what header info it can:

SESSION_SECURE_COOKIE=true

in my .env file

'http_only' => true, and 'same_site' => 'lax'(setting to "strict" did not seem to work)
in my config/session.php file.

Now it is back to testing security and tweaking things back if need be.

Answer 4

Go to vendor/guzzlehttp/guzzle/src/Client.php

$defaults = [
            'allow_redirects' => RedirectMiddleware::$defaultSettings,
            'http_errors'     => true,
            'decode_content'  => true,
            'verify'          => true,
            'cookies'         => false
        ];

change to

$defaults = [
            'allow_redirects' => RedirectMiddleware::$defaultSettings,
            'http_errors'     => true,
            'decode_content'  => true,
            'verify'          => **false**,
            'cookies'         => false
        ];

Answer 5

For anyone experiencing these problem, you can set the domain value in config/session.php to your domain and clear all cookies in your browser relating to your app url. you can also then run php artisan cache:clear and clear-complied

Answer 6

Try setting the correct values in the 'domain' field of config/session.php and the 'url' field of the config/app.php. This seems to have done the trick for me. I noted that the value in session.php should be without http://, while the one in app.php should be with http://.

Also, I recommend you follow this guide: https://laracasts.com/series/whats-new-in-laravel-5/episodes/9. It's extremely helpful and clear.

Answer 7

you get this error because you have your social provider settings wrong in your config file or haven't set up your Facebook app properly.

Visit developers.facebook.com and make sure your app id and secret keys are correct and pointing to the correct URL. Then make sure your laravel app's services.php config file is updated with the correct redirect, id and secret.

Answer 8

I don't know if this will help anyone but changing my session driver from file to cookie solved the InvalidException issue for me.

Answer 9

I got temporary solution for that.

public function user()
{
    //if ($this->hasInvalidState()) {
    //    throw new InvalidStateException;
    //}

    $user = $this->mapUserToObject($this->getUserByToken(
        $token = $this->getAccessToken($this->getCode())
    ));
    return $user->setToken($token);
}

comment the $this->hasInvalidState() if condition in AbstractProvider.php file and it's work fine.

Answer 10

$provider = \Socialize::with($facebook);      
if (Input::has('code'))     {
    $user = $provider->stateless()->user();
}

Maybe this is better temporary solution

Answer 11

So after doing some digging if found that the issue for me was that my nginx configuration was wrong and the url parameters (code and state) weren't passed to the index.php file properly and this way the check between the state from the session and the state from the url was failing. I modified my nginx conf to look like this and it worked fine.

location / {
            try_files $uri $uri/ /index.php?$args;
    }

Answer 12

I wasn't comfortable with just commenting out code that signalled an error (as in @Dipesh Shihora's answer), so I dug a little further. I discovered that the error is caused (in my case at least) by a problem with sessions.

My dev server is set up according to the instructions given in this answer. Basically, I am "spoofing" Google by using a callback URL which looks like a publicly-accessible address.

The InvalidStateException problem was appearing for me because I was visiting my login page at http://localhost/login and redirecting to Google's login page, which then returned me to http://myapp.example.com/callback. The problem is that the session key is stored in a cookie - it was originally a cookie for http://localhost, but when I redirected to a different URL, the cookie (and hence the session key) was inaccessible. Thus, the session state value was non-existent after the update and the exception was thrown.

The solution? Ensure that all my browsing on the dev machine was done at http://myapp.example.com and not at http://localhost.