i keep getting csrf token mismatch while trying to log in using laravel sanctum with react spa

react login component

axios.defaults.withCredentials = true;
axios.defaults.baseURL = 'http://127.0.0.1:8000';

 const handleSubmit = async (e) => {
        e.preventDefault();
    
        await axios.get('/sanctum/csrf-cookie')
            .then(() => {
                return axios.post('/api/login', formData);
            })
            .then((response) => {
                console.log('Logged in successfully:', response.data);
                // Maybe redirect or fetch user
            })
            .catch((error) => {
                console.error('Login failed:', error.response?.data || error.message);
                alert("Login failed");
            });
    };

cors.php

    'paths' => ['api/*', 'sanctum/csrf-cookie'],

    'allowed_methods' => ['*'],

    'allowed_origins' => ['http://localhost:5173'],

    'allowed_origins_patterns' => [],

    'allowed_headers' => ['*'],

    'exposed_headers' => [],

    'max_age' => 0,

    'supports_credentials' => true,

];

sanctum.php

'stateful' => explode(',', env('SANCTUM_STATEFUL_DOMAINS', sprintf(
        '%s%s',
        'localhost,localhost:3000,localhost:5173,127.0.0.1,127.0.0.1:8000,::1',
        Sanctum::currentApplicationUrlWithPort(),
        // Sanctum::currentRequestHost(),
    ))),

        $credentials = $request->validate([
            'email' => 'required|string|email',
            'password' => 'required|string',
        ]);

        if(Auth::attempt($credentials)){
            $request->session()->regenerate();
            return response()->json(['message' => 'Login successful'], 200);
        }

        return response()->json(['message' => 'Invalid credentials'], 401);
    }

env

SESSION_DOMAIN=localhost SANCTUM_STATEFUL_DOMAINS=localhost

vincent15000

11 months ago

Level 63

Hmmm ... first why do you have return axios.post('/api/login', formData); instead of axios.post('/api/login', formData); ?

Then have you added this code in you bootstrap/app.php file ?

    ->withMiddleware(function (Middleware $middleware) {
        $middleware->statefulApi();
    })

mohamadAbdelhady

11 months ago

Level 1

yes i added this to bootstrap/app.php

the return is put so the promise chain continues correctly.

1 like

mohamadAbdelhady

11 months ago

Level 1

also i removed the web middleware from the login route now is not returning mismatch but i am not sure if this is the right way to do it

1 like

vincent15000

11 months ago

Level 63

@mohamadAbdelhady No it's not the solution.

GdS

11 months ago

Level 26

Hi, I would suggest a more permissive cors.php for development. Also, I think axios is not forwarding csrf cookies.

   // cors.php
    'allowed_origins' => ['*']

   // Set withCredentials to true for all requests
   axios.defaults.withCredentials = true;

When you are ready, remember to restrict cors for production.

Please share some follow-up, hope it helps

1 like

puklipo

11 months ago

Level 9

Sanctum's SPA authentication can only be used in the same top-level domain. Subdomains are allowed.
It's different from general SPA.

First, you need to check whether you can achieve what you want with Sanctum.

Most CSRF errors in Sanctum occur because of incorrect usage without understanding this.

1 like

Please or to participate in this conversation.