I am using Laravel sanctum in my project with angular as frontend. Getting unauthenticated from the second api request. Please let me know where am I going wrong
Frontend-> 127.0.0.1:4200
Backend-> localhost:8888
.env config
SESSION_DOMAIN=localhost
SANCTUM_STATEFUL_DOMAINS=127.0.0.1
Added middleware auth:sanctum to the routes group in api.php
Ref: https://prnt.sc/rm9ejy
For anyone having an Unauthenticated error, please ensure you follow these steps.
Send a GET request to /sanctum/csrf-cookie
Send a post request to web route /login to get authenticated
After this step, you will be successfully authenticated by auth:sanctum middleware in the WEB route or any resource route that needs CRSF token present.
[Why did this work]
Sending a GET request(empty request) to /sanctum/csrf-cookie enables laravel to send the fresh set cookies command to your browser to set a fresh CRSF token which can be found in your cookies. Axios and most library send this fresh token as part of headers X-CSRF-TOKEN by default, for regular ajax request, please include them explicitly in your headers or in form _token, else your SPA will still hit the 419(token expired) error
Other things to be aware of:
Ensure your SESSION_DOMAIN is set to localhost
SANCTUM_STATEFUL_DOMAIN is set to your sub domain/SPA with the port e.g localhost:8000
For the original question please ensure you maintain same domain. I mean use localhost for both. And set SANCTUM_STATEFUL_DOMAIN = localhost:4200
Edited
Also set SESSION_DRIVER
Add your domains, for example
my API is running on localhost:8000 my client is running on localhost:3000 so my env setting looks like below
SANCTUM_STATEFUL_DOMAINS=localhost:8000,localhost:3000
also, add your session domain
SESSION_DOMAIN=localhost
Have you checked your Kernel.php? app/Http/Kernel.php
Make sure you uncomment \Laravel\Sanctum\Http\Middleware\EnsureFrontendRequestsAreStateful::class, coz by default it is being commented
'api' => [
\Laravel\Sanctum\Http\Middleware\EnsureFrontendRequestsAreStateful::class,
'throttle:api',
\Illuminate\Routing\Middleware\SubstituteBindings::class,
],
Two days of pain and despair to arrive at this conclusion: the Bearer token was not attached to the request, and that was because of my .htaccess configuration.
If you, like me, are not able to authenticate via API token, try to add this line on your .htaccess file in the public directory in your Laravel project:
RewriteRule ^ - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
Right after RewriteEngine On directive.
CREDITS: Laravel not detecting auth token sent in the header and JWT package
From the screenshot you shared I see your domain is localhost and not 127.0.01, just do:
SANCTUM_STATEFUL_DOMAINS=localhost
For anyone using Laravel Homestead, use your actual domain.
SANCTUM_STATEFUL_DOMAINS=homestead.test
Which version are you running? Since V2.4.0 you need to specify the port:
SANCTUM_STATEFUL_DOMAINS=localhost:4200
See this issue for more info.
The sanctum stateful domains require the port number as well.
e.g. SANCTUM_STATEFUL_DOMAINS=127.0.0.1:4200
Although in your case your screenshot shows it should be SANCTUM_STATEFUL_DOMAINS=127.0.0.1:4201
Late in the game but just to help those that keep looking for this solution, most of the answers here have some truth, just have to put them together to make it work:
ENV file: SESSION_DOMAIN=localhost (or whatever your domains is)
in config->sanctum.php->stateful (if not already there): Sanctum::currentApplicationUrlWithPort()
in app/Http/Kernel.php API add as very first (this is important) : \Laravel\Sanctum\Http\Middleware\EnsureFrontendRequestsAreStateful::class,
in app/http/kernel API remove if there: \Illuminate\Session\Middleware\StartSession::class,
add to your api routes middleware: auth:sanctum
Also worth checking the guard settings under config->sanctum.php
that should do.
I had the same solution as Marco, adding the rewrite rule to my htaccess in public fixed it.
RewriteRule ^ - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
FYI I am hosting this on Auzre Web App Service (linux), if anyone else is doing that.
check if you had changed your guard in past. goto config/auth.php check if your provider model is same as your user model (or the model you using) for authentication.
in my case i was using different guard and provider.
In case you have problems when going into production and/or have more than one subdomains and also use https don't forget that the port is 443 instead of the usual 80.
E.g.:
SANCTUM_STATEFUL_DOMAINS=*.example.com:443
SESSION_DOMAIN=.example.com
Lost days trying to figure out why the laravel, the spa or the android app were taking turns to fail, but never working all at the same time, until found that solution.
This worked for me. The solution is adding this to .htaccess of root folder (not only inside the public folder)
# Handle Authorization Header
RewriteCond %{HTTP:Authorization} .
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
Related
I have developed application in Angular 7 and APIs in Laravel 5.7.
For CORS issue, I have also installed barryvdh/laravel-cors package in Laravel and its working fine on local.
But when I deployed these both applications on Godaddy single hosting, that is Starter Linux Hosting with cPanel
Angular app in main directory public_html
Laravel APIs in public_html/api directory which points to
public_html/api/public
APIs are not working and I am seeing this error
Access to XMLHttpRequest at 'http://api.example.com/api/documentations?page=1' from origin 'http://example.com' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: Redirect is not allowed for a preflight request
I have seen lot of answers on stackoverflow and on other sources, nothing seems to be working for me.
I tried adding headers to .htaccess file
<IfModule mod_headers.c>
Header set Access-Control-Allow-Origin "*"
</IfModule>
As well as directly to index.php but with no luck.
header('Access-Control-Allow-Origin', '*')
Any idea or help is highly appreciated. Thanks in advance.
Redirect is not allowed for a preflight request
Since you have a HTTP to HTTPS redirect in place, and your API calls are trying to access http://api.example.com/api/documentations?page=1, they're going to fail, because (as the message states) you can't redirect a CORS preflight.
Update your code to make the API calls over HTTPS.
Thank you #ceejayoz for your valuable comments and answer. I am able to find the issue
I am having two .htaccess files. For main domain, one at
public_html/.htaccess
and another for subdomain at
public_html/api/public/.htaccess
The one at public_html/.htaccess having this line to protect the files inside the public_html/api directory from root access of main domain
RedirectMatch 403 ^/api/.*$
When I commented/removed this line, APIs started working but files inside public_html/api directory were not secure.
Then to secure the files, I created one more file at public_html/api/.htaccess and added these lines
RewriteEngine On
RewriteRule !^public/ - [F,NC]
And I achieved both: APIs are working and files inside public_html/api are secured.
I have made an App that has recently gone through a penetration test. I am required to set the X-Frame options in the application to SAMEORIGIN. This is to prevent clickjacking. I believe this is possible in the App.yaml file, but I am not sure how to implement something like this. I have scanned the docs and still can't work out how to deny, only allow.
handlers:
- url: /.*
script: public/index.php
http_headers:
X-Frame-Options SAMEORIGIN
I have found a solution to this using a Middleware within Laravel 5.1
The middleware is called FrameGuard and is stored at the following
Illuminate\Http\Middleware\FrameGuard
To enable this add the following line to the protected middleware array
'Illuminate\Http\Middleware\FrameGuard',
This sets the frame header option to SAMEORIGIN, which can be changed if required.
This prevents the Clickjacking vulnerability in a Laravel application
To anyone stumbling on this, the reason why the http_headers doesn't work, is because it can only be applied to static file handlers, as mentioned in the doc.:
Optional. You can set HTTP headers for responses of your static file or directory handlers. If you need to set HTTP headers in your script handlers, you should instead do that in your app's code.
Didn't catch this on my local machine but I've noticed some of my pages returning the naked IP address of my web server instead of the domain name. Example:
route('homepage') will sometimes return 192.XX8.X.2XX or 192.XX8.X.2XX/index.php or domain.com/index.php. My pages are cached upon the first visit and there's a rough 50% chance the things will come out weird for all URLs on the page.
Is there an explanation for this weird behavior and how would I fix it? It's quite a concern since Googlebot is listing three additional duplicate copies of my site.
Note: I'm also using the LaravelLocalization package for my routes: https://github.com/mcamara/laravel-localization
I'm also running this app under Laravel Forge (Nginx)
I understand, the question is very old, but I've had same problem and found the solution. (it can help someone)
Open file RouteServiceProvider on this path: app/Providers/RouteServiceProvider.php
Look for function mapWebRoutes. Now we have to add caller domain with config from our environment
protected function mapWebRoutes()
{
Route::middleware('web')
->namespace($this->namespace)
->domain(\Config::get('app.url', null))
->group(base_path('routes/web.php'));
}
During building the url based on route - system tries to get local variable domain in current route, if it found - the domain should apply immediately. But if property undefined - go to Symfony route module.
PS: Don't forget to set APP_URL in your .env file.
Example:
APP_URL=https://mysimpledomain.ua
I had gread success using
\URL::forceRootUrl(\Config::get('app.url'));
in RouteServiceProvider.php on boot().
This is most likely down to your nginx configuration. If you only have your app configured on the server then it will act as the default. When you visit the server directly by it's IP address (or any other domain that links to your server) then nginx will serve the laravel app.
There are many approaches to deal with this. I would suggest to either configure a default for the server. This could be just a html page saying "congratulations you've reached the server" or something similar. The other is just reconfigure you app's nginx file to redirect anything that's not the correct domain to the domain name for you app.
server {
if ($host != example.com) {
return 301 https://example.com$request_uri;
}
listen 80;
server_name example.com;
}
More about how nginx processes a request here: http://nginx.org/en/docs/http/request_processing.html
I created a route named dashboard.
The user will login first in the /dashboard/logout route before accessing
the /dashboard/mailer route.
The problem is the /dashboard/mailer redirects to the /dashboard/login again. See the images below.
You will notice that when it reaches the mailer route, it will send a Location header again pointing to the login route.
It works on my dev server without https but when I upload it to production with https, It does not redirect properly.
Here is my security.yml
Here is the default_security_target
In case you need it, here is the .htaccess in my production server. My production server is behind a load balancer with 2 nodes. The trusted_proxy configuration is also already set. Also, the firewall uses an in memory provider.
Found out that the sessions are not being managed correctly in the load balancers. When I login in the 1st server, the 2nd server will not see me authenticated thus being redirected to the login page.
I am trying to enable clean urls with Angular JS inside my Laravel 4 app. When I tried the required thing normally without laravel 4 refering to this url.
http://www.yearofmoo.com/2012/11/angularjs-and-seo.html, I was able to get the thing to work. Even ?_escaped_fragment_= was changed to snapshot/* folder and picked the content.
But I am not able to do the same in Laravel 4. I am not sure how to do this.
I am trying to define a route like ?_escaped_fragment_=/* and redirect it to some controller but that doesn't work.
Can anyone please help.
Escaped fragment is a query parameter, not a route, there for, in the root route Route::get('/', 'RootCtrl');, you can check for $_GET['_escaped_fragment'] presence, and if it is there, return an HTTP 302 redirect to the corresponding file in the snapshots dir.
While this will work, it is not the perfect solution, since some bots might index the path of the snapshots file instead of the original one, and since doing it using the Laravel framework is not correct in the first place.
The best choice of course, is to rewrite any request that contains an _escaped_fragment_
query parameter to it's corresponding path, in the nginx\apache configuration, prior to the configuration of your Laravel app, this way those requests won't event reach the Laravel router.
I have co-authored an Angular SEO plug-and-play solution, using PhantomJS & Mongoose integrated web server, to pre-render any Async JS code, and server it as raw HTML.
The server configuration aspects are also explained in the README.md file, please note that if you would like to use static snapshots, just change proxy-pass to rewrite(in order for the right URL to get indexed by the bots).
Hope that helps.
Example using simple rewrites with nginx:
if ($args ~* "^_escaped_fragment_=(.+)") {
set $path $1
set $args '';
rewrite ^.*$ /snapshots/$path last;
}
EDIT:
Apache, for your request (some words of advice: move to nginx).
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{QUERY_STRING} ^_escaped_fragment=(.+)$
RewriteRule ^.*$ /snapshots/%1 [QSA,L]
</IfModule>