CODEWITHSUNDEEP
phplaravelcookiescsrflaravel-sanctum
Robert
Robert

Reputation: 1286

Laravel Sanctum & NuxtJS SPA not creating csrf cookie in the browser

I have a backend API in Laravel with Sanctum, and separate repository SPA in NuxtJS

I am trying to authenticate my SPA with Sanctum. I am trying to get the CSRF cookie in the browser as per Sanctum documentation.

The problem is when I call the CSRF token endpoint provided by Sanctum, I get the correct response, but no cookie is set. Just like that, no errors. It doesn't matter if I am gonna use nuxt auth or just plain old axios call.

This is what I have:

DOMAINS: API - publisher.local:8080; frontend - publisher.local:3000

NUXT AUTH CONFIG

auth: {
    strategies: {
      laravelSanctum: {
        provider: 'laravel/sanctum',
        url: 'http://publisher.local:8080',
        endpoints: {
          login: { url: '/api/v1/login', method: 'post' },
          // logout: { url: '/auth/logout', method: 'post' },
          // user: { url: '/auth/user', method: 'get' }
        }
      },
    },
  },

AXIOS CONFIG

axios: {
    baseURL: 'http://publisher.local:8080/api/v1', // Used as fallback if no runtime config is provided
    credentials: true,
    proxy: true,
  },

sanctum.php

'stateful' => explode(',', env('SANCTUM_STATEFUL_DOMAINS', sprintf(
        '%s%s',
        'localhost,localhost:3000,127.0.0.1,127.0.0.1:8000,::1,local:3000',
        Sanctum::currentApplicationUrlWithPort()
    ))),

session.php

'domain' => env('SESSION_DOMAIN', '.local'),

I tried different combinations and variations of these settings and none of it works. Do you guys have any idea what could be wrong?

Upvotes: 1

Views: 1746

Answers (1)

Robert
Robert

Reputation: 1286

I figured this out I think. I got it to work.

So there are.local cannot be the top-level domain and that I think was perhaps part of the problem but I am not sure.

Changing domains to just pain old localhost did the trick but this solution had one issue. It will for some unknown to me reason I would automatically get an XSRF cookie on any call to my API, regardless of which endpoint I would call. Weird.

What worked perfectly was changing the domains to api.publisher.com and publisher.com, followed by all the settings from the Sanctum docs.

Just be super careful with the domains and make sure they match and that the settings are correct. It is super easy to reconfigure that thing and very hard to diagnose it!

Hope that helps!

Upvotes: 0

Related Questions