Skip to content

Backend PR-1: Sanctum SPA Configuration & CORS Setup #211

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Nov 22, 2025
Merged

Backend PR-1: Sanctum SPA Configuration & CORS Setup #211

merged 2 commits into from
Nov 22, 2025

Conversation

@kevalyq
Copy link
Contributor

@kevalyq kevalyq commented Nov 22, 2025

Summary

Configures Laravel Sanctum for SPA authentication mode and sets up CORS to allow credential-based requests from the frontend domain. This replaces insecure localStorage token storage with httpOnly cookie-based authentication.

Related Issues

Fixes #209
Part of: SecPal/frontend#208

Changes

Configuration

  • Sanctum SPA Mode: Published Sanctum config with stateful domains (localhost:5173, localhost:3000, production domains)
  • Session Driver: Changed from database to cookie for SPA authentication
  • Cookie Security: Configured httpOnly, secure (production), and sameSite=lax
  • CORS Setup: Allow credentials from frontend domains with explicit origin whitelist

Environment Variables

Added to .env.example:

  • SANCTUM_STATEFUL_DOMAINS - Frontend domains for stateful auth
  • SESSION_DRIVER=cookie - Cookie-based sessions
  • SESSION_HTTP_ONLY=true - JavaScript cannot access cookies
  • SESSION_SAME_SITE=lax - CSRF protection
  • CORS_ALLOWED_ORIGINS - Frontend domains
  • CORS_SUPPORTS_CREDENTIALS=true - Allow cookies in CORS requests
  • CORS_ALLOWED_HEADERS - Include X-XSRF-TOKEN for CSRF

Testing

  • New comprehensive test suite: SanctumSpaConfigTest
  • Verifies Sanctum configuration (stateful domains, CSRF middleware, guards)
  • Verifies session configuration (cookie driver, httpOnly, sameSite)
  • All existing tests pass (452 tests, 1403 assertions)

Acceptance Criteria

  • config/sanctum.php configured with SANCTUM_STATEFUL_DOMAINS
  • .env.example updated with required Sanctum variables
  • config/cors.php allows credentials (supports_credentials: true)
  • CORS configuration allows frontend domain (localhost:5173 for dev, secpal.app for prod)
  • API routes use auth:sanctum middleware (already in place)
  • Tests verify Sanctum middleware works
  • PHPStan passes
  • Pint passes
  • All existing tests pass

Security Considerations

httpOnly cookies: Token inaccessible to JavaScript (XSS protection)
sameSite=lax: CSRF attack mitigation
Explicit CORS origins: No wildcard * when credentials enabled
CSRF token endpoint: /sanctum/csrf-cookie for state-changing requests

Next Steps

Testing Commands

ddev exec php artisan test --filter=SanctumSpaConfigTest
ddev exec php artisan test  # All tests
ddev exec vendor/bin/phpstan analyze
ddev exec vendor/bin/pint --test --dirty

References

@kevalyq
feat: Configure Sanctum SPA authentication and CORS
e6bb714 
- Publish and configure Sanctum config with stateful domains
- Set session driver to cookie for SPA authentication
- Configure CORS to allow credentials from frontend domains
- Add httpOnly, secure, and sameSite cookie settings
- Add comprehensive tests for Sanctum SPA configuration
- Update .env.example with Sanctum and CORS variables

Fixes #209
Part of: SecPal/frontend#208
@codecov
Copy link

codecov bot commented Nov 22, 2025

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

@kevalyq kevalyq marked this pull request as ready for review November 22, 2025 23:38
Copilot AI review requested due to automatic review settings November 22, 2025 23:38
Copilot finished reviewing on behalf of kevalyq November 22, 2025 23:40
Copilot AI reviewed Nov 22, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR configures Laravel Sanctum for SPA authentication mode, replacing insecure localStorage token storage with httpOnly cookie-based authentication. The changes include publishing Sanctum config with stateful domains, updating session configuration for cookie-based storage, configuring CORS to allow credential-based requests, and adding comprehensive test coverage.

Key Changes:

  • Published Sanctum configuration with stateful domains for SPA authentication
  • Changed session driver from database to cookie-based storage
  • Configured CORS to support credentials with explicit origin whitelist
  • Added comprehensive test suite to verify Sanctum and session configuration

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
config/sanctum.php New Sanctum configuration with stateful domains, guards, and middleware for SPA authentication
config/cors.php New CORS configuration allowing credentials from frontend domains with explicit origin whitelist
bootstrap/app.php Added empty CSRF exception list with clarifying comment about Sanctum handling CSRF
.env.example Updated with session cookie settings and new Sanctum/CORS environment variables
tests/Feature/Auth/SanctumSpaConfigTest.php New comprehensive test suite verifying Sanctum configuration, session settings, and CORS setup

@kevalyq
fix: Clarify CSRF protection comment
ce1c221 
Improve comment to clarify that CSRF protection is active and
Sanctum middleware handles validation for authenticated SPA routes.
The previous comment was misleading and suggested CSRF was disabled.

Addresses Copilot review feedback.
@kevalyq kevalyq merged commit 4cb0151 into main Nov 22, 2025
16 checks passed
@kevalyq kevalyq deleted the feat/sanctum-spa-config branch November 22, 2025 23:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Backend PR-1: Sanctum SPA Configuration & CORS Setup

2 participants

@kevalyq