shaneomac wrote a reply+100 XP
5mos ago
shaneomac wrote a reply+100 XP
5mos ago
shaneomac wrote a reply+100 XP
5mos ago
@janum Thanks for all that insight!
@jussimannisto It is all become super clear the last few days for me where I have gone wrong. I just wish I knew all this info months ago but never again will I struggle.
Appreciate your responses!
shaneomac liked a comment+100 XP
5mos ago
Speaking of LLMs being wrong:
- For Inertia, always make the first request visit /sanctum/csrf-cookie A lot of devs forget this step. Once the cookie is set, the CSRF header is handled automatically. No need to manually fetch the token at all.
This is pointless with Inertia. The initial Inertia page response already includes the cookie. You'd only need this step if you had a pure SPA with Laravel as a backend API.
shaneomac wrote a reply+100 XP
5mos ago
shaneomac wrote a reply+100 XP
5mos ago
Any chance this in the app.blade.php could be the culprit?
" " I found this in the Inertia docs "Laravel automatically includes the proper CSRF token when making requests via Inertia or Axios. However, if you're using Laravel, be sure to omit the csrf-token meta tag from your project, as this will prevent the CSRF token from refreshing properly."
Looks like it snuck into our app 8 months ago when AI told me it would fix some ongoing 419 errors.
Look at other files in this commit, I was using Fetch for the requests.
It's all making sense in hindsight but also really frustrating the dev working on this is not able to quickly diagnose and troubleshoot this.
shaneomac wrote a reply+100 XP
5mos ago
I am digging around for some 419 errors we are still having @gabotronix
According to the Inertia docs, you actually don't want the CSRF token baked into the
It will be handled with cookies. This does not allow a proper refresh from what I am learning.
Have you found a fix after a year?
shaneomac started a new conversation+100 XP
5mos ago
shaneomac wrote a reply+100 XP
5mos ago
shaneomac started a new conversation+100 XP
5mos ago
can anyone add some input as how to best handle CSRF throughout a Laravel/React app?
It was immensely painful to figure out with partial and occasional failures. Different ENVs failed at different rates.
From our app to Stripe and back was a common 419 error. Our checkout session is excluded from CSRF to make it seamless.
I have since mitigated almost entirely with a React Util to refresh tokens and grab it before hitting controllers and such.
I tried so many different ways and they all had different rates of success.
We are now in production with a small user base and I still see 419 errors in NightWatch for one specific part of the app. Normally after one failure they get through.
But I can't seem to find any info online. It's all 5-7 years old.
Keep in mind I am not traditionally trained. I am self taught and rely on AI for writing the code but I can architect and build just about thing and I am quite good at reading and understanding code and catching the flaws of AI.
So I have my gaps.
But any info into the modern Laravel 12 with React handling CSRF PERFECTLY, with no failures in the app, would be great.
I feel we are smooth sailing once we get this one area worked out.
A dev helping me has a vast training but is just as stuck as I am am when it comes to CSRF.
Anything that may be remotely helpful, please chime in!