Error when application is behind Apache basic auth

[wmfairuz]

Q	A
Bug?	yes
New Feature?	no
Framework	Laravel
Framework version	8.83.23
Package version	v12.2.1
PHP version	8.1.18

Actual Behaviour

I'm running Laravel on a Apache with basic auth enabled using .htaccess (it's our development server). The basic auth only there to allow only our team to be able to access our in-development applications environment.

I have a public API (no auth) that my VueJS component call. This API is defined in api.php.

When I load the home page, as expected the basic auth will ask for password. Then from the home page, I go to another page that load this vuejs component. I fill-in some details in the form, and click on submit. This will trigger the API call (the public API defined earlier).

Basically the API will do some things and one of the things is creating a User. My User Model implement Auditable, and use Auditable trait. The user is created just fine. But apparently this trigger a OwenIt\Auditing\AuditableObserver->created() and after that trigger below error.

Expected Behaviour

I expect no error from this kind of activity.

Trace logs

[2023-05-11 19:03:31] local.ERROR: SQLSTATE[42S22]: Column not found: 1054 Unknown column 'api_token' in 'where clause' (SQL: select * from users where api_token = staging@2023 and users.deleted_at is null limit 1) {"exception":"[object] (Illuminate\Database\QueryException(code: 42S22): SQLSTATE[42S22]: Column not found: 1054 Unknown column 'api_token' in 'where clause' (SQL: select * from users where api_token = staging@2023 and users.deleted_at is null limit 1) at /var/www/app/vendor/laravel/framework/src/Illuminate/Database/Connection.php:712)
[stacktrace]
#0 /var/www/app/vendor/laravel/framework/src/Illuminate/Database/Connection.php(672): Illuminate\Database\Connection->runQueryCallback()
#1 /var/www/app/vendor/laravel/framework/src/Illuminate/Database/Connection.php(376): Illuminate\Database\Connection->run()
#2 /var/www/app/vendor/laravel/framework/src/Illuminate/Database/Query/Builder.php(2414): Illuminate\Database\Connection->select()
#3 /var/www/app/vendor/laravel/framework/src/Illuminate/Database/Query/Builder.php(2402): Illuminate\Database\Query\Builder->runSelect()
#4 /var/www/app/vendor/laravel/framework/src/Illuminate/Database/Query/Builder.php(2936): Illuminate\Database\Query\Builder->Illuminate\Database\Query\{closure}()
#5 /var/www/app/vendor/laravel/framework/src/Illuminate/Database/Query/Builder.php(2403): Illuminate\Database\Query\Builder->onceWithColumns()
#6 /var/www/app/vendor/laravel/framework/src/Illuminate/Database/Eloquent/Builder.php(625): Illuminate\Database\Query\Builder->get()
#7 /var/www/app/vendor/laravel/framework/src/Illuminate/Database/Eloquent/Builder.php(609): Illuminate\Database\Eloquent\Builder->getModels()
#8 /var/www/app/vendor/laravel/framework/src/Illuminate/Database/Concerns/BuildsQueries.php(294): Illuminate\Database\Eloquent\Builder->get()
#9 /var/www/app/vendor/laravel/framework/src/Illuminate/Auth/EloquentUserProvider.php(134): Illuminate\Database\Eloquent\Builder->first()
#10 /var/www/app/vendor/laravel/framework/src/Illuminate/Auth/TokenGuard.php(85): Illuminate\Auth\EloquentUserProvider->retrieveByCredentials()
#11 /var/www/app/vendor/laravel/framework/src/Illuminate/Auth/GuardHelpers.php(60): Illuminate\Auth\TokenGuard->user()
#12 /var/www/app/vendor/owen-it/laravel-auditing/src/Resolvers/UserResolver.php(21): Illuminate\Auth\TokenGuard->check()
#13 [internal function]: OwenIt\Auditing\Resolvers\UserResolver::resolve()
#14 /var/www/app/vendor/owen-it/laravel-auditing/src/Auditable.php(316): call_user_func()
#15 /var/www/app/vendor/owen-it/laravel-auditing/src/Auditable.php(279): App\Models\User->resolveUser()
#16 /var/www/app/vendor/owen-it/laravel-auditing/src/Drivers/Database.php(19): App\Models\User->toAudit()
#17 /var/www/app/vendor/owen-it/laravel-auditing/src/Auditor.php(69): OwenIt\Auditing\Drivers\Database->audit()
#18 /var/www/app/vendor/laravel/framework/src/Illuminate/Support/Facades/Facade.php(261): OwenIt\Auditing\Auditor->execute()
#19 /var/www/app/vendor/owen-it/laravel-auditing/src/AuditableObserver.php(38): Illuminate\Support\Facades\Facade::__callStatic()
#20 /var/www/app/vendor/laravel/framework/src/Illuminate/Events/Dispatcher.php(424): OwenIt\Auditing\AuditableObserver->created()
#21 /var/www/app/vendor/laravel/framework/src/Illuminate/Events/Dispatcher.php(249): Illuminate\Events\Dispatcher->Illuminate\Events\{closure}()
#22 /var/www/app/vendor/laravel/framework/src/Illuminate/Database/Eloquent/Concerns/HasEvents.php(189): Illuminate\Events\Dispatcher->dispatch()
#23 /var/www/app/vendor/laravel/framework/src/Illuminate/Database/Eloquent/Model.php(1174): Illuminate\Database\Eloquent\Model->fireModelEvent()
#24 /var/www/app/vendor/laravel/framework/src/Illuminate/Database/Eloquent/Model.php(994): Illuminate\Database\Eloquent\Model->performInsert()
#25 /var/www/app/vendor/laravel/framework/src/Illuminate/Database/Eloquent/Builder.php(896): Illuminate\Database\Eloquent\Model->save()
#26 /var/www/app/vendor/laravel/framework/src/Illuminate/Support/helpers.php(263): Illuminate\Database\Eloquent\Builder->Illuminate\Database\Eloquent\{closure}()
#27 /var/www/app/vendor/laravel/framework/src/Illuminate/Database/Eloquent/Builder.php(897): tap()
#28 /var/www/app/vendor/laravel/framework/src/Illuminate/Support/Traits/ForwardsCalls.php(23): Illuminate\Database\Eloquent\Builder->create()
#29 /var/www/app/vendor/laravel/framework/src/Illuminate/Database/Eloquent/Model.php(2132): Illuminate\Database\Eloquent\Model->forwardCallTo()
#30 /var/www/app/app/Http/Controllers/PremisesRegistrationController.php(94): Illuminate\Database\Eloquent\Model->__call()
#31 /var/www/app/vendor/laravel/framework/src/Illuminate/Routing/Controller.php(54): App\Http\Controllers\PremisesRegistrationController->store()
#32 /var/www/app/vendor/laravel/framework/src/Illuminate/Routing/ControllerDispatcher.php(45): Illuminate\Routing\Controller->callAction()
#33 /var/www/app/vendor/laravel/framework/src/Illuminate/Routing/Route.php(262): Illuminate\Routing\ControllerDispatcher->dispatch()
#34 /var/www/app/vendor/laravel/framework/src/Illuminate/Routing/Route.php(205): Illuminate\Routing\Route->runController()
#35 /var/www/app/vendor/laravel/framework/src/Illuminate/Routing/Router.php(721): Illuminate\Routing\Route->run()
#36 /var/www/app/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(128): Illuminate\Routing\Router->Illuminate\Routing\{closure}()
#37 /var/www/app/app/Http/Middleware/RedirectIfAuthenticated.php(30): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}()
#38 /var/www/app/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(167): App\Http\Middleware\RedirectIfAuthenticated->handle()
#39 /var/www/app/vendor/laravel/framework/src/Illuminate/Routing/Middleware/SubstituteBindings.php(50): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}()
#40 /var/www/app/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(167): Illuminate\Routing\Middleware\SubstituteBindings->handle()
#41 /var/www/app/vendor/laravel/framework/src/Illuminate/Routing/Middleware/ThrottleRequests.php(127): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}()
#42 /var/www/app/vendor/laravel/framework/src/Illuminate/Routing/Middleware/ThrottleRequests.php(103): Illuminate\Routing\Middleware\ThrottleRequests->handleRequest()
#43 /var/www/app/vendor/laravel/framework/src/Illuminate/Routing/Middleware/ThrottleRequests.php(55): Illuminate\Routing\Middleware\ThrottleRequests->handleRequestUsingNamedLimiter()
#44 /var/www/app/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(167): Illuminate\Routing\Middleware\ThrottleRequests->handle()
#45 /var/www/app/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(103): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}()
#46 /var/www/app/vendor/laravel/framework/src/Illuminate/Routing/Router.php(723): Illuminate\Pipeline\Pipeline->then()
#47 /var/www/app/vendor/laravel/framework/src/Illuminate/Routing/Router.php(698): Illuminate\Routing\Router->runRouteWithinStack()
#48 /var/www/app/vendor/laravel/framework/src/Illuminate/Routing/Router.php(662): Illuminate\Routing\Router->runRoute()
#49 /var/www/app/vendor/laravel/framework/src/Illuminate/Routing/Router.php(651): Illuminate\Routing\Router->dispatchToRoute()
#50 /var/www/app/vendor/laravel/framework/src/Illuminate/Foundation/Http/Kernel.php(167): Illuminate\Routing\Router->dispatch()
#51 /var/www/app/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(128): Illuminate\Foundation\Http\Kernel->Illuminate\Foundation\Http\{closure}()
#52 /var/www/app/vendor/livewire/livewire/src/DisableBrowserCache.php(19): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}()
#53 /var/www/app/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(167): Livewire\DisableBrowserCache->handle()
#54 /var/www/app/vendor/barryvdh/laravel-debugbar/src/Middleware/InjectDebugbar.php(66): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}()
#55 /var/www/app/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(167): Barryvdh\Debugbar\Middleware\InjectDebugbar->handle()
#56 /var/www/app/vendor/laravel/framework/src/Illuminate/Foundation/Http/Middleware/TransformsRequest.php(21): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}()
#57 /var/www/app/vendor/laravel/framework/src/Illuminate/Foundation/Http/Middleware/ConvertEmptyStringsToNull.php(31): Illuminate\Foundation\Http\Middleware\TransformsRequest->handle()
#58 /var/www/app/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(167): Illuminate\Foundation\Http\Middleware\ConvertEmptyStringsToNull->handle()
#59 /var/www/app/vendor/laravel/framework/src/Illuminate/Foundation/Http/Middleware/TransformsRequest.php(21): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}()
#60 /var/www/app/vendor/laravel/framework/src/Illuminate/Foundation/Http/Middleware/TrimStrings.php(40): Illuminate\Foundation\Http\Middleware\TransformsRequest->handle()
#61 /var/www/app/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(167): Illuminate\Foundation\Http\Middleware\TrimStrings->handle()
#62 /var/www/app/vendor/laravel/framework/src/Illuminate/Foundation/Http/Middleware/ValidatePostSize.php(27): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}()
#63 /var/www/app/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(167): Illuminate\Foundation\Http\Middleware\ValidatePostSize->handle()
#64 /var/www/app/vendor/laravel/framework/src/Illuminate/Foundation/Http/Middleware/PreventRequestsDuringMaintenance.php(86): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}()
#65 /var/www/app/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(167): Illuminate\Foundation\Http\Middleware\PreventRequestsDuringMaintenance->handle()
#66 /var/www/app/vendor/fruitcake/laravel-cors/src/HandleCors.php(52): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}()
#67 /var/www/app/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(167): Fruitcake\Cors\HandleCors->handle()
#68 /var/www/app/vendor/laravel/framework/src/Illuminate/Http/Middleware/TrustProxies.php(39): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}()
#69 /var/www/app/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(167): Illuminate\Http\Middleware\TrustProxies->handle()
#70 /var/www/app/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(103): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}()
#71 /var/www/app/vendor/laravel/framework/src/Illuminate/Foundation/Http/Kernel.php(142): Illuminate\Pipeline\Pipeline->then()
#72 /var/www/app/vendor/laravel/framework/src/Illuminate/Foundation/Http/Kernel.php(111): Illuminate\Foundation\Http\Kernel->sendRequestThroughRouter()
#73 /var/www/app/public/index.php(52): Illuminate\Foundation\Http\Kernel->handle()
#74 {main}

Possible Solutions

• I see my basic auth password in the query in the trace log. My theory is apache somehow add a Auth header in there?

Thanks!

[MortenDHansen]

Have you tried doing the same, but without audit? - this error is not from auditing, so i would be interested to know if it is actually a behaviour triggered from auditing