CSRF

[roni-estein]

Just source diving this, to determine if converting an existing laravel vue turbolinks site would be easily accomplished. One of the things I had to deal with was CSRF, can you point out where you handle that? I notice the middleware is still in pingcrm but I've had some trouble figuring out where you are handling that.

Thanks.

[CrucialDeveloper]

I am running into the same issue. To get past for out now, I am overriding the sendLoginResponse method in the LoginController to comment out the $request->session()->regenerate(); line.

public function sendLoginResponse(Request $request)
    {
        // $request->session()->regenerate();

        $this->clearLoginAttempts($request);

        return $this->authenticated($request, $this->guard()->user())
            ?: redirect()->intended($this->redirectPath());
    }

Not sure of the other implications at this point, but at least I can login and make successful requests.

[Juhlinus]

Hey, @roni-estein and @johnlowery!

Have a look at this PR on the inertia repository.

inertiajs/inertia@76adc2c

Namely, line 39-42 in src/inertia.js as well as line 72 in that same file.

I hope this will help you on your way.

[reinink]

Folks, CSRF protection with Inertia is REALLY simple in Laravel. Yes, you need the CSRF middleware, which is enabled by default. This middleware automatically adds a XSRF-TOKEN cookie to your responses.

That is all you need. You don't need a CSRF meta in your header. You don't need a bootstrap.js file with this stuff. You don't need to add CSRF tokens to your forms as inputs, or to your form submissions at all.

The reason why is that Axios automatically reads the XSRF-TOKEN value from the cookie and adds it to all Inertia (and other xhr) requests.

This is the preferred method of dealing with CSRF tokens, since it refreshes on every single request, and JavaScript always has the latest version.

I hope that helps!

[CrucialDeveloper]

Thanks for the clarification! And thank you for producing Inertiajs.

[reinink]

@johnlowery My pleasure! 🙌

[reinink]

A nice update here. As of six days ago, Laravel has removed all the manual Axios X-CSRF-TOKEN header stuff from bootstrap.js and is now relying solely on the above mentioned behaviour. 👌

laravel/laravel#5083

[CrucialDeveloper]

This definitely simplified things. Thanks for the follow-up!

[bakerkretzmar]

For anyone else still struggling with this, if you're using Ziggy, make sure you're calling route(...).url() and not just route(...).

https://github.com/inertiajs/inertia-vue/issues/39#issuecomment-494425358

Update: as of Ziggy 1.0, route() returns a string if you pass it any arguments, so route(...) (no .url()) is fine now.

[daryledesilva]

.url()

what i was looking for! thanks!!

[jcandan]

Getting 419 from this.$inertia.post('/delivery', this.form) via onSubmit(). I see the XSRF-TOKEN cookie from browser dev tools. Not using any of the tricks mentioned. Not using Ziggy.

Only thing seems to work is to exclude /delivery from CSRF verification in App\Http\Middleware\VerifyCsrfToken, but this seems insecure, and I would prefer not to do this.

Inertia v0.10.1
Laravel v8.59.0

[jlug331221]

I am in the same boat as you @jcandan . Did you find another solution? I keep getting the 419 error when trying to register a user to the application. I am using Laravel Breeze... Anybody else have the 419 error when using Breeze?

[reinink]

Hey folks, be sure to read this page: https://inertiajs.com/csrf-protection

In particular:

If you're using Laravel, be sure to omit the csrf-token meta tag from your project, as this will prevent the CSRF token from refreshing properly.

[jcandan]

For me, it turned out to be an Apache configuration; we commented out a v-host Set-Cookie config to fix the issue. I realize this may not be the solution for most folks, but noting it here for posterity.

[jlug331221]

@jcandan Don't think that will fix my issue. I am using Laravel Sail/Docker in my local development.

@reinink I have already removed the CSRF token from my blade master template. I also took out the code in the bootstrap.js file (except for lodash). I am intermittently getting the 419 error when registering new users. Sometimes I can register successfully and other times I can't. I need to fix this issue because I fear that my other forms will behave in the same manner.

[amadeann]

A note to my future self or anyone facing a 419 error looking for potential solutions:

CSRF validation based on X-XSRF-TOKEN from Axios won't work out of the box if cookies are serialized in Laravel. Setting for serializing cookies is in App\Http\Middleware\EncryptCookies (protected static $serialize = true;).

I'm running an older app, and when upgrading it a few years ago to 5.6 I enabled cookie serialization as described in the upgrade docs:
https://laravel.com/docs/5.6/upgrade

Changing the setting to $serialize = false (which is now a default value in Laravel) fixes the issue.