Spark API returning 401

Published 1 year ago by erikharden

I'm trying to get the API working for Spark and have encountered a problem. Using the home vue.js component that get's shipped with Spark I can make, and receive a response, to the api routes. However, when I try to create a new component, it returns a 401 Unauthorized and logs me out. If I try to replicate it by using Postman and send a Post request to the same route (/api/test) it works as long as I provide the api_token querystring value with a valid API token.

I found that adding the 'web' middleware to the api.php file works if I use the vue.js component, but then it breaks if I try to use Postman.

This is the component that I'm having the problem with.

Vue.component('domains', {
props: [],

ready() {
    this.$http.get('/api/test').then(response => {
        console.log(response.data)
    })
}
});

This is my api.php file:

Route::group([
'prefix' => 'api',
'middleware' => ['auth:api']
], function () {
Route::get('test', function(){
    return "test";
});
});

I'm using the latest version of Spark (1.0.3) and Laravel (5.2.30).

Best Answer (As Selected By erikharden)
crabmusket

@christopher yes; it's that code I'm trying to get working.

I've found a new wrinkle: when I load the page initially, the cookie is encrypted twice. But if I wait 5 minutes for the AJAX PUT request that refreshes the Spark API token, it works fine after that (the cookie is only encrypted once, and I can make API requests). Here are the two cookies - you can see from their lengths that something's up:

I tried adding spark_token to the list of excepted cookies in the EncryptCookies middleware, which predictably resulted in an unencrypted JWT appearing.

EDIT: this seems wrong

EDIT: oh. Well, that solved my problem!

crabmusket

I'm having the same issue. So far I've managed to track it down to spark/src/TokenGuard.php, where after decrypting the spark_token, no token in the database has a matching value. However, if I add an additional call to decrypt(), there is a match. I'm not sure why the cookie is being encrypted twice.

EDIT: this happens to me both in the regular home component as well as one I created myself. Using Spark 1.0.7 and Laravel 5.2.31

DV
DV
1 year ago (5,420 XP)

This will sound dumb, but do you have the usesApi enabled in the SparkServiceProvider? That is required for the Spark API token refresh to take place.

CmdrSharp

I believe that you need to have the prop userdefined, and use it for the component as well.

crabmusket

I think I have both of those. I can see API Token Refreshed. in the Chrome console regularly. I'm going to dig deeper into where the cookie gets set and see if I can figure out where it's being encrypted twice.

DV
DV
1 year ago (5,420 XP)

Based on your component above, you aren't including the prop 'user'. It'll need to look like this:

Vue.component('domains', {
    props: ['user'],

    ready() {
        this.$http.get('/api/test').then(response => {
            console.log(response.data)
        })
    }
});

Unless of course you already updated that.

crabmusket

Sorry, just to clarify, I'm not the OP, but I'm having a similar issue.

christopher
crabmusket

@christopher yes; it's that code I'm trying to get working.

I've found a new wrinkle: when I load the page initially, the cookie is encrypted twice. But if I wait 5 minutes for the AJAX PUT request that refreshes the Spark API token, it works fine after that (the cookie is only encrypted once, and I can make API requests). Here are the two cookies - you can see from their lengths that something's up:

I tried adding spark_token to the list of excepted cookies in the EncryptCookies middleware, which predictably resulted in an unencrypted JWT appearing.

EDIT: this seems wrong

EDIT: oh. Well, that solved my problem!

tptompkins

Hey Guys,

I'm having this exact same problem, but I'm not sure why I'm still getting a 401. How can I tell if I have the web middleware being applied twice? Here's what I know:

  • I'm running Spark version 1.0.13
  • My controller's constructor is applying the auth middleware: $this->middleware('auth');
  • My api.php file is applying 'middleware' => 'auth:api'

Should my controller not apply any middleware and just let api.php handle that? When I comment out the middleware from my controller, I still get a 401. Not sure what else to check. Any ideas?

belov91

@crabmusket did you find a solution? If yes please explain.

crabmusket

@belov91 yes, I discovered I was having this issue as I linked in my last post. I removed the web middleware from my routes file and stopped seeing the issue.

I do seem to still get random 401s and logouts, but haven't been able to track down that issue. It seems it's something to do with unreliable session storage.

websanova

Just adding to this since I had the same issue. After playing around for about 30 minutes I found that setting the middleware to both api and auth:api worked.

middleware' => ['api', 'auth:api'],

Also you can then just directly use $this->middleware('dev'); in the controller for dev access to that route also.

Please sign in or create an account to participate in this conversation.