New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Receiving unauthenticated after successful login and receiving cookies #80
Comments
This is happening to me too in the following project. |
Please ask this on a support channel. Thanks. |
I have tried all relevant channels multiple times |
This seems to be a common issue amongst the people I've talked to in various channels. Would it be possible to look into this please would be appreciated @driesvints |
@driesvints we would appreciate it if you stopped closing the issues without pointing to the solution, this is probably a bug. I am getting the unauthenticated response even when the SPA is served directly from the Laravel app. |
Did you try setting the |
Hello everyone i managed to get my airlock app working. The problem was that the default AIRLOCK_STATEFUL_DOMAINS value is localhost. This means that if you are using artisan serve you must use localhost:8000 instead of 127.0.0.1:8000. |
If anyone needs my code is is https://github.com/migueldamaso/test-airlock `APP_NAME=Laravel LOG_CHANNEL=stack DB_CONNECTION=mysql BROADCAST_DRIVER=log REDIS_HOST=127.0.0.1 MAIL_MAILER=smtp AWS_ACCESS_KEY_ID= PUSHER_APP_ID= MIX_PUSHER_APP_KEY="${PUSHER_APP_KEY}" Don't forget the db credentials |
Hey everyone, Over the past two months since Airlock was released we have gotten tons of issues involving cookies, CSRF, and other things. Every single one of them was the result of a misconfiguration somewhere or not reading the docs well enough. We have dozens of open source repos to attend. There's still over 300 other issues that need my attention and I can't possible offer the same attention to every single one of them. This isn't a support channel and we have numerous other channels where there's a large community ready to help you out. Especially the Discord channel and Laracasts forums are very active. Please try to use a support channel. If you find solutions to your problems we'd really appreciate a pr to the docs if something could be explained better. @phiter calling people lazy isn't helping out anyone. We work hard to offer all of this for free. |
I also want to add that we appreciate it that you're using Airlock and want to help make it better. I'm genuinely sorry that I can't help out more. If I find some free time later on I'll maybe try to look into this. |
If there is a bug, find it and send a PR. Welcome to open source. Airlock is a simple package and doesn’t contain much code. Airlock works for me and others and as Dries noted all of these issues have been configuration problems so far. But, we welcome and look forward PRs to fix any bugs. |
Hi guys, I would like to start by saying your efforts and contributions to the industry are greatly appreciated and we do not take them for granted, even though we throw our toys out of the pram here and there; it's not you it's us 😂. I think I might have found the issue that's causing the authentication failure – Airlock's guard is trying to get the user from the 'web' guard which is returning null but switching to the 'api' guard is returning the authenticated user. If it's not a bug then this might be a clue as to why it's failing? Thanks again for the help ✌️ |
The 'web' guard is used to get the authenticated user instance but this can be changed in the auth config by changing the default guard to anything else. I have made a PR to use the configured default guard but still pass in the 'web' as a fallback. If this isn't the way to go we will need to update the docs to say your default guard should be set to 'web'. |
The issue tends to be in one of two areas. AIRLOCK_STATEFUL_DOMAINS configuration or the auth guard for your routes which needs to be updated yo use airlock |
In my case I had the default guard as api, but airlock only works with web so I needed to run |
The key issue here are the cookies. You need to manage them manually if you have any hope of making this work in production. For example, if you login and then attempt to login again via JS, the guard will identify you as logged in and redirect you to home, which will result in html in your data field. Even if you |
Hey guys, for me the problem was that I was setting the "SANCTUM_STATEFUL_DOMAINS" to my api domain which sits on port 8000 (localhost:8000). When I changed it to my Vue SPA domain port which is 8080 (localhost:8080) it worked. So maybe just check that. |
Did you solve this? I also have this issue. My react js lives in same laravel project, inside resources/js |
Setting 'SANCTUM_STATEFUL_DOMAINS' works for me. Thanks for all the hard work @taylorotwell @driesvints 👍 |
Try like this: Auth::login($user, true); |
I have the same issue with API to be http://api.example.test (Homestead) and my VUE Cli SPA to be at http://example.test:3000. Don't know how to overcome this issue with the 401 Unauthenticated. Any ideas? ======================= Turns out that while creating my user in Tinker, for some reason Hash::make('password'); went wrong. So i couldn't authenticate due to wrong password. |
Anyone new, be aware to use SANCTUM_STATEFUL_DOMAINS instead of AIRLOCK_STATEFUL_DOMAINS in your .env file. That's what caught me out. I'm guessing the name of the project changed through development? So some comments are old and use the wrong name. |
For anyone having the Unauthentication error, please ensure you follow this steps.
After this step you will be successfully authenticated by auth:sanctum middleware in API route. Other things to be aware of:
|
This is because of misconfiguring the sanctum and session domains.
SANCTUM_STATEFUL_DOMAINS=localhost:8080,127.0.0.1:8080,localhost:3000,127.0.0.1:3000
SESSION_DOMAIN=localhost
'paths' => ['api/*', 'login', 'register', 'otp/*', 'sanctum/csrf-cookie'],
'supports_credentials' => true,
|
I'm using Sanctum with Apache Virtual Hosts even with wildcard subdomains, and it works fine once I set the stateful domains correctly. My front end is served by the same app as my backend. Keep in mind some apps have to share web servers when deployed. I'm using this config in my .env file:
|
Setting |
@Aslam97 |
@csimpi ah my mistake. edited |
Some other tip is that you have to setup EnsureFrontendRequestsAreStateful in the api middlewareGroups at app/Http/Kernel.php as so:
|
For those who are using NEXT JS as an SPA DO NOT call axios from inside getServerSideProps or getStaticSiteProps! |
I'm config all settings for sanctum but not working. |
If you are using PHP FastCGI and Apache to serve your Laravel application, HTTP Basic authentication may not work correctly. To correct these problems, the following lines may be added to your application's .htaccess file:
Reference : |
FWIW, I was scratching my head for a full day only to realize the issue was related to browser cache, switching to Firefox worked. 🤷 |
Thanks
Then start laravel by command |
Hello everyone, for me the solution was to add the
|
Never use a session on api calls that would reap open your api to cross site script attack. It’s dangerous |
@stanliwise Thanks 🙏 |
Sanctum session auth is basically for SPA applications that uses the cookie based authentication. If you’re using api calls simple use the plain text token method and pass it as bearer. |
@stanliwise I'm using sanctum cookie-based auth strategy for a react SPA |
Are you aware of EnsureFrontendRequestsAreStateful middleware? |
Yes, I'm aware of it. I'm using it as well. |
I guess the best way go configure your laravel sanctum and SPA is to configure your laravel ENV file properly and also add |
Description:
After successfully hitting the airlock/csrf-cookie endpoint and logging in I still receive unauthenticated when hitting my API in subsequent requests. I can see the cookies being sent in the request (XSRF-TOKEN and the session) but it still will not authenticate with the airlock middleware.
SESSION_DOMAIN=.hub.test
AIRLOCK_STATEFUL_DOMAINS=front.hub.test
Cors config:
Please can you give some guidance on this, I have tried all the relevant channels (slack, discord etc) and still not able to solve the issue
Thank you
The text was updated successfully, but these errors were encountered: