0

I have an hybrid vuejs app, that is working correctly on the web version, but that is getting 419 from the Laravel server when calling it from the Android version.

AXIOS CALL

vm.axios.get('/sanctum/csrf-cookie').then(response => {
  vm.logging = true;
  vm.axios({
    method: 'POST',
    url: '/api/login/employee',
    data:{
      email: vm.email,
      password: vm.password
    },
  }).then(function (response) {
    console.log(response.data)
    if(response.data.success){
      vm.axios.defaults.headers.common['Authorization'] = 'Bearer '+response.data.token;
      localStorage.setItem('bearer', vm.axios.defaults.headers.common['Authorization']);
      vm.$store.commit('updateUserData');
    }
  }, function (error) {
    console.log(error.message)
  }).then(function (){
    vm.logging = false;          
  });
});

CORS

'paths' => ['api/*','sanctum/csrf-cookie'],

'allowed_methods' => ['*'],

'allowed_origins' => ['*'],

'allowed_origins_patterns' => [],

'allowed_headers' => ['*'],

'exposed_headers' => [],

'max_age' => 0,

'supports_credentials' => true,

KERNEL

protected $middleware = [
    // \App\Http\Middleware\TrustHosts::class,
    \App\Http\Middleware\TrustProxies::class,
    \Fruitcake\Cors\HandleCors::class,
    \App\Http\Middleware\CheckForMaintenanceMode::class,
    \Illuminate\Foundation\Http\Middleware\ValidatePostSize::class,
    \App\Http\Middleware\TrimStrings::class,
    \Illuminate\Foundation\Http\Middleware\ConvertEmptyStringsToNull::class,
];

/**
 * The application's route middleware groups.
 *
 * @var array
 */
protected $middlewareGroups = [
    'web' => [
        \App\Http\Middleware\EncryptCookies::class,
        \Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse::class,
        \Illuminate\Session\Middleware\StartSession::class,
        // \Illuminate\Session\Middleware\AuthenticateSession::class,
        \Illuminate\View\Middleware\ShareErrorsFromSession::class,
        \App\Http\Middleware\VerifyCsrfToken::class,
        \Illuminate\Routing\Middleware\SubstituteBindings::class,
    ],

    'api' => [
        EnsureFrontendRequestsAreStateful::class,
        'throttle:60,1',
        \Illuminate\Routing\Middleware\SubstituteBindings::class,
    ],
];
Inigo EC
  • 2,178
  • 3
  • 22
  • 31
  • are these routes in `api.php`? – lagbox Sep 27 '20 at 18:00
  • Yes they are @lagbox - yes, except the first `sanctum/csrf-cookie` one, but it's in the CORS path array – Inigo EC Sep 27 '20 at 18:10
  • gotcha, usually 419 is the verification of the csrf token failing but if you are hitting an api route and have not adjusted the middleware group to include that middleware, that shouldnt be the issue – lagbox Sep 27 '20 at 18:12
  • It is linked to the csrf token for sure, but I don't know what should I do? It's working fine on the browser, but when launching it from the mobile app it fails. Not sure what is preventing Laravel from letting the request continue its path – Inigo EC Sep 27 '20 at 18:17
  • you should not need a csrf token at all if you are making POSTs to the routes in api ... as the `VerfiyCsrfToken` middleware is the only thing checking for it and it is only applied to the `web` group (by default) and not the `api` group (by default) ... unless something with sanctum is expecting one for some reason – lagbox Sep 27 '20 at 18:20
  • So `sanctum/csrf-cookie` gets called and returns a 200, but then ´/api/login/employee´ returns a 419 (only on Android), and that route is out of any middleware. It should be super accesible. I am very confused. – Inigo EC Sep 27 '20 at 18:37
  • Added the Kernel code – Inigo EC Sep 27 '20 at 18:38
  • 1
    the csrf token middleware is being applied ... that middleware you are showing turns your stateless api into a stateful api if the request comes from the front end ... perhaps the session cookie isn't being sent https://github.com/laravel/sanctum/blob/09964e858797b2e532731abf250189451df0cd20/src/Http/Middleware/EnsureFrontendRequestsAreStateful.php#L31 – lagbox Sep 27 '20 at 18:52
  • No cookies are being set and therefore not sent (in the android app). Should I simply remove the EnsureFrontendRequestsAreStateful middleware from the kernel, or that would be risky? – Inigo EC Sep 27 '20 at 19:19
  • i dont see the ponit of that middleware at all, you are sending a bearer token and you are not using sessions ... but i also don't use this stuff nor do i see a purpose for it in general so I could be wrong .. i would have to defer to someone who actually uses sanctum and why they are using it – lagbox Sep 27 '20 at 19:46
  • Thanks lagbox! Very helpful chat - if you answer it I'm happy to mark it as correct – Inigo EC Sep 27 '20 at 20:20
  • np, though i am not really that helpful in this matter ... feel free to answer it yourself with what you did ... not sure if removing that middleware completely is the best for when the actual front needs to be using this or not, but as long as you have it working its all good :) – lagbox Sep 27 '20 at 20:23

0 Answers0