3 months ago

Websocket auth for private channels when using Sanctum SPA auth

Posted 3 months ago by jalfie

I have Laravel 7 working on api.lndo.site and a standalone Vue app on web.lndo.site.

Authentication between Laravel and Vue is working fine. My issue is with authorising access to private channels from the Vue side. I have a route api/broadcasting/auth with middleware api,auth:sanctum. When Vue sends a POST request to http://api.lndo.site/api/broadcasting/auth this it gets a 419 (page expired) response. For context this is using a pusher private channel.

Reading around this, one temporary suggestion was to disable VerifyCsrfToken on that URI:

protected $except = [

When I do this, the request to api/broadcasting/auth now leads to a redirect to the login page.

I haven't used the auth scaffolding and have instead directly logged in as user_id 1:

class AuthController extends Controller
    public function login()

I am more than happy to provide extracts from configuration files. I have set them up as per the documentation and divinglaravel.

Any help would be very appreciated - I feel like I'm going round in circles!

Please sign in or create an account to participate in this conversation.