CSRF token mismatch randomly occurs with auth since installing Pulse

[sts-ryan-holton]

Pulse Version

1.0.0-beta5

Laravel Version

10.37.3

PHP Version

8.1.26

Livewire Version

Whatever Pulse is using

Database Driver & Version

Maria DB

Description

Recently I installed Laravel Pulse into my Laravel project. My Laravel project uses Laravel Sanctum and Laravel Fortify for authentication and registration. My Laravel project acts exclusively as an API backend to a Nuxt JS 2 front-end. My Nuxt front-end utilises v5 of the auth module.

Ever since I installed Pulse into my proect I've been seeing a few random "CSRF token mismatch" errors occur which I never saw prior to installing Pulse.

Steps To Reproduce

When I first saw the error, I couldn't log in at all, so I SSH'd into my server and set PULSE_ENABLED to false, ran php artisan cache:clear and then I was able to log in again. I think there might be something wrong somewhere in Pulse which is conflicting with another package like Sanctum.

I'm using the Redis ingest in my project, and saving pulse entries to my production database, I don't use a separate database. I do use a Horizon queue.

[crynobone]

Are you using redis for session as well and did redis server memory usage maxed out when you faced this issue?

[sts-ryan-holton]

I'm not using Redis for sessions, and memory usage of my Redis node has remained between 50%-60% continuously over the past 14 daya

[timacdonald]

@sts-ryan-holton do you know if this is only happening to users that visit the /pulse dashboard?

I'm wondering if Livewire, which is used on the dashboard, is somehow causing the token to be regenerated or something.

Have you anything custom in your application around generating / regenerating CSRF tokens?

[jessarcher]

Also curious about what middleware is used on the Pulse route vs. the other routes

[sts-ryan-holton]

This is happening on non-pulse routes. But I suspect Pulse might be causing this. For example, since I've got Laravel Fortifg and Sanctum in my project, if I try to log in via my front-end, it first makes a request to the sanctum csrf-token endpoint, but this occasionally fails and throws the mismatch error.

This has only started happening since installing Pulse, and prior to this I've had sanctum/fortify in my project for the past 2 years no problem.

I don't do anything custom with my tokens.

[sts-ryan-holton]

Just jumping back in here, I've had several reports from customers within my platform since creating this issue. I've just experienced the CSRF token mismatch error again just now, here's something interesting:

1. Add PULSE_ENABLED=false to .env
2. Run php artisan config:clear
3. Log in is successful

However...

Without setting PULSE_ENABLED=false, strangely it works if I clear my browser cache - not ideal for users. There's certainly something with Pulse affecting the auth/sanctum in some way.

[waazibf]

Hello, i also have the same problem.

When i have PULSE_ENABLED=true i have an error

production.ERROR: No application encryption key has been specified. {"exception":"[object] (Illuminate\\Encryption\\MissingAppKeyException(code: 0): No application encryption key has been specified.

only on login/logout process.

my config is not cached but when i cache my config, and test, the error don't appear. I add that caching config not appropriate for my application needs.

I have also run several time php artisan config:clear php artisan key:generate

Pulse Version
1.0.0-beta11

Laravel Version
10.43.0

PHP Version
8.1.13

Database Driver
postgres

[timacdonald]

@waazibf are you also using Laravel Sanctum? This seems like it may be a different issue as you error is related to encryption and not CSRF expiration?

[waazibf]

Yes, I have laravel sanctum for API-side authentication. However, the problem only occurs when login/logout on the web.

I initially thought it was due to the csrf but when I'm logged and handling other forms using the csrf, there are no problems.

I have the impression that during login/logout, the application can't read the APP_KEY parameter of the env.

However, when the config is cached the error doesn't occur during login/logout.

[timacdonald]

I'm struggling to work out what could be causing this one. If either of you could create a reproduction repository, that would be much appreciated.

I'm also wondering if maybe Pulse is silently discarding an exception of something under the hood that might shed some more information on the problem.

Could you both add some Pulse exception logging and see if that gives you any further insights: https://laravel.com/docs/11.x/pulse#pulse-exceptions

[timacdonald]

Unfortunately I'm not able to replicate this one. We are happy to dive into it, but will need some more information on the potential cause if anyone it able to do any debugging on the issue.

Ping the thread if you have any insights and we can always reopen the issue.