axios.get /airlock/csrf-cookie doesn't take effect in laravel 7

Question

I am using laravel airlock auth on my SPA project.

As per documentation https://laravel.com/docs/master/airlock, there is a need of the code below in loggin in:

axios.get('/airlock/csrf-cookie').then(response => {
   // Login...
});

However, when I commented the code, the login script can still access the API controller.

This is my code below:

// axios.get('/airlock/csrf-cookie').then(response => {
      axios.post('api/login', {
        email: this.email,
        password: this.password
      })
      .then(response => { 
        console.log(response);
      })
      .catch(error => {
         self.errors.push(error.response.data.message)
       });
 // })

What is the use of axios.get('/airlock/csrf-cookie') then?

score 0 · Answer 1 · answered Mar 18 '20 at 19:04

It is because you already hit the domain when loading the asses for your SPA application (HTML/JS/CCS), and at that moment the Laravel CSRF protection was initialized.

Imagine you have your API in a different domain, then you must need to initialize the CSRF protection with get call to /airlock/csrf-cookie

axios.get /airlock/csrf-cookie doesn't take effect in laravel 7

1 Answers1