You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I've had a long-standing issue with Sanctum that I've finally solved today. Every time I used it I kept getting authorization errors despite following everything in the Docs and reading countless Stack Overflow posts.
Most solutions always revolve around SANCTUM_STATEFUL_DOMAINS not being configured correctly. I knew mine were ok.
I've noticed in the past that using a different browser from my default (Firefox) actually works. I've put this down to a weird Firefox bug that would get fixed in the next update. But it never did.
I finally traced the issue to EnsureFrontendRequestsAreStateful::fromFrontend() which checks the referer against the stateful domains. It turns out Firefox was not sending the referer header. Sure enough in the settings the network.http.sendRefererHeader option was set to 0 (off).
Turns out that a VPN Firefox extension (Private Internet Access) decided to turn this off for me as a security measure. It also does the same in the Chrome version.
So it turns out that anyone using these extensions (or any that does the same thing) will not be able to use a website that utilizes Sanctum.
I have noticed the Origin header has always been present in the request. Is it possible to also check this header as a backup in case Referer does not exist? Or are there issues with the Origin header that I'm not aware of?
The text was updated successfully, but these errors were encountered:
@dellow we've rejected replacing the Referer header with the Origin header in the past because it'd be a breaking change. But we can allow it to be a fallback header instead. Can you PR that?
I've had a long-standing issue with Sanctum that I've finally solved today. Every time I used it I kept getting authorization errors despite following everything in the Docs and reading countless Stack Overflow posts.
Most solutions always revolve around
SANCTUM_STATEFUL_DOMAINS
not being configured correctly. I knew mine were ok.I've noticed in the past that using a different browser from my default (Firefox) actually works. I've put this down to a weird Firefox bug that would get fixed in the next update. But it never did.
I finally traced the issue to
EnsureFrontendRequestsAreStateful::fromFrontend()
which checks the referer against the stateful domains. It turns out Firefox was not sending thereferer
header. Sure enough in the settings thenetwork.http.sendRefererHeader
option was set to0
(off).Turns out that a VPN Firefox extension (Private Internet Access) decided to turn this off for me as a security measure. It also does the same in the Chrome version.
So it turns out that anyone using these extensions (or any that does the same thing) will not be able to use a website that utilizes Sanctum.
I have noticed the
Origin
header has always been present in the request. Is it possible to also check this header as a backup in caseReferer
does not exist? Or are there issues with theOrigin
header that I'm not aware of?The text was updated successfully, but these errors were encountered: