Laravel sanctum unauthenticated

Question

I am using Laravel sanctum in my project with angular as frontend. Getting unauthenticated from the second api request. Please let me know where am I going wrong

Frontend-> 127.0.0.1:4200

Backend-> localhost:8888

.env config

SESSION_DOMAIN=localhost SANCTUM_STATEFUL_DOMAINS=127.0.0.1

Added middleware auth:sanctum to the routes group in api.php

Ref: https://prnt.sc/rm9ejy

score 19 · Answer 1 · answered May 25 '21 at 18:54

19

Add your domains, for example my API is running on localhost:8000 my client is running on localhost:3000 so my env setting looks like below

SANCTUM_STATEFUL_DOMAINS=localhost:8000,localhost:3000

also, add your session domain

SESSION_DOMAIN=localhost

answered May 25 '21 at 18:54

Hadayat Niazi

1,991
3
16
28

I used custom domain name for calling the backend and frontend like (backend) `api.devtest.test` (frontend) `devtest.test` What should be written on `SESSION_DOMAIN` ? – Shulz Jul 21 '21 at 02:44
1

@Shulz `.devtest.test` (note `.` at the beginning) – see https://laravel.com/docs/10.x/sanctum#cors-and-cookies – Dan Apr 01 '23 at 18:35

Stanley Aloh · Answer 2 · 2022-08-01T11:40:59.647

For anyone having an Unauthenticated error, please ensure you follow these steps.

Send a GET request to /sanctum/csrf-cookie
Send a post request to web route /login to get authenticated

After this step, you will be successfully authenticated by auth:sanctum middleware in the WEB route or any resource route that needs CRSF token present.

[Why did this work]
Sending a GET request(empty request) to /sanctum/csrf-cookie enables laravel to send the fresh set cookies command to your browser to set a fresh CRSF token which can be found in your cookies. Axios and most library send this fresh token as part of headers X-CSRF-TOKEN by default, for regular ajax request, please include them explicitly in your headers or in form _token, else your SPA will still hit the 419(token expired) error

Other things to be aware of:

Ensure your SESSION_DOMAIN is set to localhost
SANCTUM_STATEFUL_DOMAIN is set to your sub domain/SPA with the port e.g localhost:8000

For the original question please ensure you maintain same domain. I mean use localhost for both. And set SANCTUM_STATEFUL_DOMAIN = localhost:4200

Edited

Also set SESSION_DRIVER

I think the request to `/sanctum/csrf-cookie` needs to be a `GET` request. — Chris J, May 22 '21 at 11:05

jrran90 · Answer 3 · 2021-11-02T09:35:51.457

12

Have you checked your Kernel.php? app/Http/Kernel.php

Make sure you uncomment \Laravel\Sanctum\Http\Middleware\EnsureFrontendRequestsAreStateful::class, coz by default it is being commented

'api' => [
    \Laravel\Sanctum\Http\Middleware\EnsureFrontendRequestsAreStateful::class,
    'throttle:api',
    \Illuminate\Routing\Middleware\SubstituteBindings::class,
],

edited Nov 02 '21 at 09:35

answered Nov 01 '21 at 16:20

jrran90

668
12
18

3

You nailed it! What you are suggesting also is into the docs, check here https://laravel.com/docs/8.x/sanctum#sanctum-middleware – Fernando Torres Nov 01 '21 at 19:45

score 8 · Answer 4 · edited Nov 18 '20 at 10:16

8

Two days of pain and despair to arrive at this conclusion: the Bearer token was not attached to the request, and that was because of my .htaccess configuration.

If you, like me, are not able to authenticate via API token, try to add this line on your .htaccess file in the public directory in your Laravel project:

RewriteRule ^ - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]

Right after RewriteEngine On directive.

CREDITS: Laravel not detecting auth token sent in the header and JWT package

edited Nov 18 '20 at 10:16

Dharman

30,962
25
85
135

answered Nov 18 '20 at 10:11

Marco Cazzaro

661
8
13

1

Sanctum doesn’t use token for Stateful auth. It uses cookies. – LDUBBS Jun 10 '21 at 12:36
2

pain and despair, I know how you feel ! – Sharkfin Dec 15 '21 at 19:46
1

Thanks man, The above solution works!! I've wasted a lot of time figuring out on my own. – Albert George Feb 07 '22 at 12:28

score 5 · Answer 5 · answered Mar 31 '20 at 19:24

5

From the screenshot you shared I see your domain is localhost and not 127.0.01, just do:

SANCTUM_STATEFUL_DOMAINS=localhost

answered Mar 31 '20 at 19:24

Luis Montoya

3,117
1
17
26

score 5 · Answer 6 · answered Jun 02 '20 at 19:38

5

For anyone using Laravel Homestead, use your actual domain.

SANCTUM_STATEFUL_DOMAINS=homestead.test

answered Jun 02 '20 at 19:38

Daniel

138
1
7

1

This worked for me when using a dummy domain "app.test" under my computer's `/etc/hosts` file – OzzyTheGiant Jun 10 '20 at 17:46

gitmiro · Answer 7 · 2020-07-01T18:09:12.983

4

Which version are you running? Since V2.4.0 you need to specify the port:

SANCTUM_STATEFUL_DOMAINS=localhost:4200

See this issue for more info.

edited Jul 01 '20 at 18:09

answered Jul 01 '20 at 08:29

gitmiro

116
4

score 2 · Answer 8 · answered Aug 18 '21 at 16:14

2

The sanctum stateful domains require the port number as well.

e.g. SANCTUM_STATEFUL_DOMAINS=127.0.0.1:4200

Although in your case your screenshot shows it should be SANCTUM_STATEFUL_DOMAINS=127.0.0.1:4201

answered Aug 18 '21 at 16:14

Peter Fox

1,809
2
20
34

score 2 · Answer 9 · answered Jul 14 '22 at 15:55

Late in the game but just to help those that keep looking for this solution, most of the answers here have some truth, just have to put them together to make it work:

ENV file: SESSION_DOMAIN=localhost (or whatever your domains is)
in config->sanctum.php->stateful (if not already there): Sanctum::currentApplicationUrlWithPort()
in app/Http/Kernel.php API add as very first (this is important) : \Laravel\Sanctum\Http\Middleware\EnsureFrontendRequestsAreStateful::class,
in app/http/kernel API remove if there: \Illuminate\Session\Middleware\StartSession::class,
add to your api routes middleware: auth:sanctum

Also worth checking the guard settings under config->sanctum.php

that should do.

score 1 · Answer 10 · answered Jul 26 '22 at 15:04

In case you have problems when going into production and/or have more than one subdomains and also use https don't forget that the port is 443 instead of the usual 80.

E.g.:

SANCTUM_STATEFUL_DOMAINS=*.example.com:443
SESSION_DOMAIN=.example.com

Lost days trying to figure out why the laravel, the spa or the android app were taking turns to fail, but never working all at the same time, until found that solution.

score 0 · Answer 11 · edited Nov 01 '21 at 14:48

0

I had the same solution as Marco, adding the rewrite rule to my htaccess in public fixed it.

RewriteRule ^ - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]

FYI I am hosting this on Auzre Web App Service (linux), if anyone else is doing that.

edited Nov 01 '21 at 14:48

Nimantha

6,405
6
28
69

answered Nov 01 '21 at 12:43

Robert Lane

11
1
2

score 0 · Answer 12 · answered Jun 23 '22 at 06:00

0

check if you had changed your guard in past. goto config/auth.php check if your provider model is same as your user model (or the model you using) for authentication. in my case i was using different guard and provider.

answered Jun 23 '22 at 06:00

rootShiv

1,375
2
6
21

score 0 · Answer 13 · answered Feb 17 '23 at 17:53

0

This worked for me. The solution is adding this to .htaccess of root folder (not only inside the public folder)

# Handle Authorization Header
RewriteCond %{HTTP:Authorization} .
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]

answered Feb 17 '23 at 17:53

Subrata Mondal

822
7
17

Laravel sanctum unauthenticated

13 Answers13

Linked

Related