Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

RomainB's avatar
RomainB
OP
5 years ago
Level 13

Can't auth axios with Jetstream session

Hi Everyone,

I'm issuing some trouble which I feel to be "random": I am working with axios on VueJS 2 for weeks now and all was fine. I'm using the basic register/login jetstream's page, I'm not working on a SPA.

Yesterday I wanted to upgrade to VueJS3, and there began the problems. I'm not really sure it's related because I didn't upgrade axios but the coincidence is curious because I didn't touch the jetstream/route configuration.

The most curious part is the fact that the problem appears at night (am I crazy? Is it a Gremlins?):

  • Yesterday (when I upgraded), the problem appeared
  • This morning it vanished, I said to my self "ok you should have go to bed earlier..."
  • And tonight it came back! I hope it'll disappear tomorrow and never come back!

Because I'm saying to myself it can't be a timezone problem, I'm here to share some code, if someone see something obvious I can't see...

Server responds me a 401: Unauthenticated error. Which is curious because my broadcasting/auth automatic call is correctly authenticated.

Here is my axios config and call:

let ajax = axios.create({
    withCredentials: true
});

ajax.get('http://www.terrajdr.test/api/beta/notifications').then(a => console.log)

the XSRF-TOKEN cookie is correctly set

My api route protection in the RouteServiceProvider:

protected function mapApiRoutes()
{
    Route::prefix('api/beta')
        ->middleware('auth:sanctum')
        ->namespace('Controllers\API')
        ->name('api.')
        ->group(base_path('routes/api.php'));
}

My config/cors.php:

return [
    'paths' => ['api/*'],
    'allowed_methods' => ['*'],
    'allowed_origins' => ['*'],
    'allowed_origins_patterns' => [],
    'allowed_headers' => ['*'],
    'exposed_headers' => [],
    'max_age' => 0,
    'supports_credentials' => true,
];

My .env file:

APP_URL=http://terrajdr.test

SANCTUM_STATEFUL_DOMAINS=terrajdr.test

SESSION_DRIVER=database

SESSION_DOMAIN=.terrajdr.test

The page I'm trying to hit is [GET] http://www.terrajdr.test/api/beta/notifications and I'm on the same domain.

0 likes
1 reply
Arrakyn's avatar

Hi, just encoutered the same issue,

my problem was that the class Ensure FrontendRequestAreStateful wasn't declared in the app/Http/Kernel :

    /**
     * The application's route middleware groups.
     *
     * @var array
     */
    protected $middlewareGroups = [
        'web' => [
            \App\Http\Middleware\EncryptCookies::class,
            \Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse::class,
            \Illuminate\Session\Middleware\StartSession::class,
            \Laravel\Jetstream\Http\Middleware\AuthenticateSession::class,
            \Illuminate\View\Middleware\ShareErrorsFromSession::class,
            \App\Http\Middleware\VerifyCsrfToken::class,
            \Illuminate\Routing\Middleware\SubstituteBindings::class,
            \App\Http\Middleware\HandleInertiaRequests::class,
            \App\Http\Middleware\ShareInertiaCustomData::class,
        ],

        'api' => [
            \Laravel\Sanctum\Http\Middleware\EnsureFrontendRequestsAreStateful::class,
            'throttle:api',
            \Illuminate\Routing\Middleware\SubstituteBindings::class,
        ],
    ];
1 like

Please or to participate in this conversation.