sanctum: CSRF token mismatch

Might have missed something, but getting CSRF token mismatch after running a request to the API (after running the airlock/csrf-cookie, which seems to be returning everything fine)?

Added the monorepo here for help: https://github.com/adicle/test-app

Just testing a really really simple SPA test with API but still having the issue.

About this issue

  • Original URL
  • State: closed
  • Created 4 years ago
  • Reactions: 5
  • Comments: 52 (5 by maintainers)

Most upvoted comments

So I finally got it 100% working. The SESSION_DRIVER = cookie is one of the missing links. The other was definitely getting NuxtJS and Laravel on subdomains of the same TLD.

Here is my code repo for the Laravel API with Airlock: https://github.com/serversideup/airlock-laravel-api

Here is my code repo for the NuxtJS install with the Nuxt Auth Module: https://github.com/serversideup/airlock-nuxt-frontend

If you guys have any questions, let me know and I can help trouble shoot

+3
danpastori on Jan 17, 2020

Additionally I had to set SESSION_DRIVER=cookie in .env file to make it work with API routes such as /api/user

+2
ghost on Jan 17, 2020

@mansouralex I’ve just figured out the issue. You were right. I edited config/session.php but it didn’t help.

The problem was with Airlock Middleware: vendor/laravel/airlock/src/Http/Middleware/EnsureFrontendRequestsAreStateful.php

Screen Shot 2020-03-12 at 5 36 51 PM

When I changed the 45th line to null it did the trick.

This is a temporary workaround for Airlock, I made a pull request with the reference to your comment.

I couldn’t even think that the error was due to a new update in Chrome. Thank you so much, Alex! 🙂

+1
AndrewSavetchuk on Mar 12, 2020

I don’t really know what’s wrong but I’m having this issue on chrome only… but on firefox Dev Edition… everything works fine

+1
yob-yob on Mar 9, 2020

@JGamboa As mentioned in this thread, you’ll need to put your frontend on a domain. The way I have it setup for apps using Airlock is the backend is api.tld.test and the frontend is app.tld.test for example, then follow the instructions on here to set it up.

+1
robmpreston on Feb 12, 2020

@taylorotwell Thank you for all of the help, I was able to get it working in one scenario with Nuxt!

Here’s what made the difference:

CORS

A lot of this had to do with CORS, but also with the cookie domain. For CORS, the only change I made to the default fruitcake/laravel-cors package was to set 'supports_credentials' => true and to add the Airlock routes to the cors file:

/*
     * You can enable CORS for 1 or multiple paths.
     * Example: ['api/*']
     */
    'paths' => [
        'airlock/csrf-cookie',
        'login',
        'api/*'
    ],

Nuxt

By default NuxtJS runs on http://localhost:3000. According to a couple issues I read about, in order for a qualified domain, you need at least one . (https://stackoverflow.com/a/1188145). You also need your session domain set in session.php as @taylorotwell mentioned here: https://github.com/laravel/airlock/issues/11#issuecomment-574181474.

We have a testing infrastructure so I threw a Nuxt install under a subdomain and set that per suggestion () to be .TLD.test. This worked! We got an X-XSRF-TOKEN header passed and proper airlock authentication!

In my case, once I changed the TLD away from localhost, and adjusted the session.php it worked right away. Hope this helps someone!

+1
danpastori on Jan 14, 2020

To every request after /airlock/csrf-cookie you need to add a X-XSRF-TOKEN header with the value of the XSRF-TOKEN cookie.

+1
DCzajkowski on Jan 9, 2020
Read more comments on GitHub
← sail: Unable to use Sail with GitHub Codespaces
sanctum: CSRF token mismatch and Unauthenticated →