Hi - I have a vue spa hosted in a subdomain that is talking to a laravel api on another subdomain, both sitting under the same parent domain. I'm using CSRF token authorisation via Sanctum/Fortify and everything is working fine on localhost. I've moved that spa and api into production, tweaked all of the configuration information to reflect the new subdomains, etc. The api is serving calls across the public api routes absolutely fine but when I try and authenticate I have a problem. I can see in the response headers from the get sanctum/sanctum/csrf-cookie call that both the laravel session and csrf-token have been returned but neither cookie is set and the subsequent login fails with a 419. Any thoughts as to why this might be the case? Is there some additional configuration required for the server environment?
It sounds like you may need to enable CORS on your Apache server. You can do this by adding the following code to your .htaccess file:
Header set Access-Control-Allow-Origin "*"
Header set Access-Control-Allow-Methods "GET,POST,OPTIONS,DELETE,PUT"
Header set Access-Control-Allow-Headers "Content-Type, Authorization"
You may also need to enable mod_headers in your Apache configuration. You can do this by running the following command:
sudo a2enmod headers
Once you have enabled CORS and mod_headers, restart your Apache server and try authenticating again.
That can't be right because you'd end up with two access origin requests, one from htaccess and the other set by laravel based on the stateful domains configuration information, which I can already see is being set in headers. Any better ideas?
Okay. So the issue was that the sanctum stateful domain needed to be set to .rootdomain.com rather than the subdomain that the spa is in. So now I get the CSRF token back correctly and this is set as a cookie along with the laravel session cookie. When I now try to login I get a 401 back. The login seems to be hitting the right endpoint because when I enter the wrong credentials it comes back with the expected error message. I can see that the CRSF token is in the headers and this correlates to the cookie value and the response back from login is 'unauthenticated'. Anybody have any thoughts as to what might be the problem?
