I'm using postman to test the API i'm building in Laravel 10. Auth via Sanctum.
The weird thing is, in the documentation:
In addition, since your application already made a request to the /sanctum/csrf-cookie route, subsequent requests should automatically receive CSRF protection as long as your JavaScript HTTP client sends the value of the XSRF-TOKEN cookie in the X-XSRF-TOKEN header.
Of course, if your user's session expires due to lack of activity, subsequent requests to the Laravel application may receive 401 or 419 HTTP error response. In this case, you should redirect the user to your SPA's login page.
While for me, in postman (and in several answers I found on here and reddit) , it works like the following: Before login -> get new token (makes sense). Postman script saves token into variable, PM uses it in all headers.
When trying to logout - CSRF token mismatch..?
Same for post / patch. Weirdly, protected GET routes do work without the header.
I can make it work, just need to get the new token in the pre-script before any post / patch request.
I'm asking here for three reasons:
- Is this expected behaviour / safe code?
- Have I missed something in the documentation? It quite explicitly says I don't need to get a new token until it expires.
- Is this configured in laravel, common knowledge about tokens / cookies I don't know of or is laravel actually sending a new token that I need to set, just not required with GETs?
Sorry for the newb question, but I'd really like to understand what I'm creating not just mindlessly copying code that worked for someone else.
Thank you!
