Authenticating ajax requests whilst logged in

I'm logged in to my laravel site and I'm on a page which has the auth middleware applied to it. This page has some javascript which fires off an ajax request to an endpoint on the same laravel app but which also uses the auth middleware.

The ajax response is 401 Unauthorized. Why is this? Can't the auth middleware figure out that the ajax request is coming from a logged in session? How can I make this work without having to implement some complex Oauth system. These ajax requests will only be made from authenticated sessions.

Edit

It turns out that if I assign the auth.basic middleware to the ajax route it will prompt for authentication for the first request and then create a session that allows future ajax request through.

I seem to remember that being logged in in the normal way (i.e. via the auth middleware) allowed auth.basic-protected requests through as well. Has this changed in Laravel 5.2?

harryg

10 years ago

Level 5

@premsaurav ajax requests are http

In fact, in an older app I have running, this works as ajax requests are sent with a remember token cookie in the request header. Any idea how I can recreate in 5.2?

Example ajax request headers

(sent using Vue-Resource from an authenticated page)

Old app (4.3):

Accept:application/json, text/plain, */*
Accept-Encoding:gzip, deflate, sdch
Accept-Language:en-GB,en-US;q=0.8,en;q=0.6
Connection:keep-alive
Cookie:remember_82e5d2c56bdd0811318f0cf078b78bfc=eyJpdiI6InhBdE5LN3p4aUZxZTVqbW5hQTZYOG02WlgzUGVOV21DYVVFZnhUTzM0enM9IiwidmFsdWUiOiJpMUhaQUE1N2JYOE0ycW1RaTVsY1VzaU9BZHRralhvU0N0dXdYSStjTlRpaVBcLzdxN2hJenRtK1hKZ21NSjE0SThPbGk1NWQ0K2RwdXFKWEh1cWNkRVVpMHhQdUpcL25xQ1ZlbkVwYlpyZTQySFZtblh6b2hnMHRkbzZDN3lWeTJqIiwibWFjIjoiNWM3OXRlMGVlOWI3ZWNlM2E4OTdjMGM2YWJlMDM2MWNm6TQ3OTI3OTk3YTMwNDU3ZTQ0MTkwN2RhYzQxOTg4MCJ9; _ga=GA1.2.396577243.1443016651; art_session=eyJpdiI6IkxjVkt5Z0R6bU1hQUhYZVE3WExyWWJTVmFDREx6T2FiOXVtVlVVQUFcLzJ3PSIsInZhbHVlIjoiSUhmRWN4dGVxRnFWWDFEdlwvNkJNYjNcL1pUSmo5SDYwc0twMExzUVlzVERldldHRjUxQXdnU3l4ZjZxRWUrY1plZ1cyUmZVd2lpZnVFTEh1ME9PYlM1QT09IiwibWFjIjoiMWUwNmMxOWM4YjU4ZGVlOTM1YTI0OWZkMDA4YTdjMDFkNGUzZjYxMTQ1NzAwNTRhMGU0NzE5NzUwYTc0NmFmZiJ9
Host:xxxxxx
Referer:https://xxxxxxxx
User-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.106 Safari/537.36
X-Requested-With:XMLHttpRequest

New App (5.2):

Accept:application/json, text/plain, */*
Accept-Encoding:gzip, deflate, sdch
Accept-Language:en-GB,en-US;q=0.8,en;q=0.6
Authorization:Basic aGFycnlAbGFyYXZlbC5jb206c2VjcmV0
Connection:keep-alive
Content-Length:22
Content-Type:application/json;charset=UTF-8
Cookie:XSRF-TOKEN=eyJpdiI6Ikl5UWtBakJpc25sUUJoSEF2R09wSVE9PSIsInZhbHVlIjoiaWRnZ3laNkdqajBKSXJiTGFvY1YzUXdiREJ4MFlTNDZFR0NiQ2gxaGEyWll6UFwva1dYdkUraGRCSmt4cms2NW5cL01yd0ozcUpSZzlZYmJPWnhiYUp1UT09IiwibWFjIjoiNzcxZDM3ZDc2NzQzMGYzNWU5YmM3YTllNGE1MWFjZmJhMzM3YWVhMGMzOTI3ZTA3MGZlYTY3NjA0MmIyNTVlYSJ9; laravel_session=eyJpdiI6Im9XXC8rUEk1U0NvcWE0ek1xQXRTNDd3PT0iLCJ2YWx1ZSI6IlZqbm14YndSWk1tYmcyRldPQUJiSDZRWHNOMHBrSkw5YkZCTEI5REJ2TlpYSGxkb05pYTgzR09jN2ozSmR4SXBmWjltK2NzamRNcElsV3FITGt6MFRnPT0iLCJtYWMiOiJmZTI2MWNjNWRkOTFjMTkxN2VhN2U0YTZjOTdjMmQ1OWZkODc4NGQyMTA0ZjI1ZWQ4MTQ3ZTI1NzUyNzY5Nzk1In0%3D
Host:creuset.app
Origin:http://xxxx
Referer:http://xxxxx
User-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.106 Safari/537.36
X-CSRF-TOKEN:X9U4oSCpajSnFSV2TOAuBpFvb2Xob3eWlmHV3kLS
X-Requested-With:XMLHttpRequest

As we can see, in the new app the csrf token is passed in the request header but no remember token. In the old app it's the opposite, no csrf token passed, but remember token allows authentication without having to manually set on the request.