-1

So I am trying to configure Sanctum so that I would have CSRF protection for my API routes so that only my SPA's frontend would be able to make requests to it.

After following the documentation and doing the instructions in in this part of the documentation. I still don't thing that I have the CSRF protection properly set up.

I know this since I was able to make a request to routes under the auth:sanctum middleware such as the following route.

use Illuminate\Http\Request;
 
Route::middleware('auth:sanctum')->get('/user', function (Request $request) {
    return $request->user();
});

I am able to make a request using Post Man to my login route without the XSRF-Token and it is returning a response which concerns me as I expect to encounter a CSRF Token Mismatch exception or anything similar to that but I am receiving no such errors.

Am I misunderstanding something or just haven't configured Sanctum properly?

Jheems
  • 300
  • 1
  • 4
  • 11

2 Answers2

0

Turns out I had my sanctum misconfigured and had to reconfigure it and place the authorization routes to web.php.

Jheems
  • 300
  • 1
  • 4
  • 11
-1

Use it in your app\Http|Kernal.php file,

'api' => [
\Laravel\Sanctum\Http\Middleware\EnsureFrontendRequestsAreStateful::class,
],

I hope this will help.

Codemaker2015
  • 12,190
  • 6
  • 97
  • 81
AmitRoy120
  • 1
  • 1
  • thanks for the response, I have already included that in the middleware stack but still experiences the issue. – Jheems Jul 01 '23 at 12:25