Level 63
Not sure how to help you.
Have you read this documentation ?
Jul 6, 2023
4
Level 1
SPA Web App with Social Sign in Only
i'm building a SPA using Laravel API that should only allow login / register with some social accounts that are logged in via Socialite and that all works fine but i'm trying to combine Socialite + Sanctum (not sure if this the best approach or not) with the attempt to use SPA cookie based auth rather a bearer token.
Previously i used JWT and that worked fine but i'm trying to move to a cookie based approach as recommended then for mobile Sanctum supports the bearer tokens also.
Initially the SPA it calls "sanctum/csrf-cookie" route before a login (post), get's cookies and saves them in the browser - took me a while to configure this and get it actually working as i kept getting CSRF token mis match but that's fixed now.
Now when i make new requests i can see the the X-XSRF-TOKEN and XSRF-TOKEN cookies set in chrome.
Next i try to call a login endpoint that executes the code below to temp replace the social login code
Auth::loginUsingId(1, true);
return response()->json(Auth::user(), 200);
I can see the XSRF cookie set as a header in chrome
Cookie: XSRF-TOKEN= etc
But i don't see anything come back in the response regarding headers or cookies to indicate this user was logged in.
Then , when i call a protected API endpoint next it get
401 Unauthorized
I was under the impression that Sanctum using stateful auth, uses a cookie to maintain the session rather then having to use the bearer token and use Sanctum in stateless mode?
Therefor if i log in programmatically it should still return whatever is needed to use this in the client?
Any one know what i am missing?
Level 1
@vincent15000 Yeah so i read all that.
It was stated that web.php was the route you have to place the login functionality too but after i got that to work none of the api.php routes worked unless i moved my api.php routes into web.php - since i'm using SPA cookie based auth and not beaer tokens. that works fine now. this was not really clear in the docs as it mentions web.php for login etc but then jumps to api.php and only tells you to put in the EnsureStatefulRequests class etc.
Fount out from this - > https://stackoverflow.com/questions/66414534/sanctum-spa-authentication-web-php-vs-api-php
Since i'm using SPA Cookie based auth on the web.api routes.
I can login programmatically fine now it would not work on the api.php routes as mentioned.
My Angular SPA is calling the login route with this code for testing purposes.
Auth::loginUsingId(1, true);
return response()->json(Auth::user(), 200);
After it responds it updates the cookies and i can access
Route::middleware('auth:sanctum') //protected routes without the 401 error.
I hope this helps some one who could not configure cookie auth with SPAs.. it took me a few days to figure out.
Now i have updated my login function and placed socialite code login with Google. This all works fine except for when it redirects back to my Angular app, as when i make the next request i get the 401 error which seems related to the cookies not being sent back normally due to the direct unlike my old programmatic login code etc.
Any idea the best way to handle this flow? Basically i need to redirect back to Angular but set the authenticated cookies?
Thanks for the help :)
1 like
Level 63
@log-on Have you seen the session.php configuration file where you can customize the driver.
'driver' => env('SESSION_DRIVER', 'file'),
Perhaps you can change the session driver constant in the .env file to cookie instead of file ?
It's not a good idea to move the api routes to the web.php file. Laravel is configured to secure the routes declared inside the api.php file with the sanctum middleware.
Level 63
@log-on This part of the documentation is very important.
Please or to participate in this conversation.