Inside VerifyCsrfToken.php in tokenMatch() method the hash_equals($request->session()->token(), $token); method is having some error 419. I am building a SPA with React and a Laravel API Sanctum, making a manual request with fetch get request retrieving the csrf token from the built-in endpoint and sending it with a fetch post to for build a page to register and login automatically.
The thing is that the $request->session()->token() is always changing on each request but the $token is not.
$request->session()->token() is generated by framework (I guess) and $token is a decrypted XCRF-TOKEN. I sent to this API on POST request. So the hash_equals($request->session()->token(), $token); is always mismatching because I have a fixed token and a variable one. I am new with Laravel so I was just disarming the code in pieces until reach this and got stuck.
It is like the fetch get request to 'http://localhost:8000/sanctum/csrf-cookie' is always sending me the same csrf token. is that how it suppose to work?
protected function tokensMatch($request)
{
$token = $this->getTokenFromRequest($request);
return is_string($request->session()->token()) &&
is_string($token) &&
hash_equals($request->session()->token(), $token);
}
by the way this is the fetch post request of React:
const response = await fetch(url, {
method: 'post',
body: formData,
headers: {
'Content-Type': 'application/json',
'X-XSRF-TOKEN': decodeURIComponent(tokenCookie['XSRF-TOKEN']),
},
});
If you are wondering what is that decodeURIComponent(tokenCookie['XSRF-TOKEN']), well it is because Chrome add some characters the incoming csrf token from get request at the end of string (%3D); I don't know why.
I just want to fix that hash_equal() problem.
