Laravel 8: to make an SPA never suffer from 419-error, is it appropriate to use Sanctum and put routes in api routes?

Question

For the sake of making my use-case more understandable, I'll classify services like Figma, WhatsApp, etc as SPAs. I've never received a page-expired error from those "SPAs".

So it is 2020, and we now also have Laravel 8: is it appropriate to use Sanctum to achieve such never-expiring SPA just by placing all routes in api.php, assuming that the SPA is in the same domain/subdomain with the Laravel app?

Btw, according to the Sanctum docs, this implies the use of API tokens for those API routes, but this kind of usage for first-party SPA is clearly not the intended use of Laravel Sanctum.

SPA you can achive by `vue-router` not in `api.php` or sanctum — Kamlesh Paul, Dec 22 '20 at 08:28

score 1 · Answer 1 · answered Dec 22 '20 at 08:01

1

Maybe not the best way to achieve that but if it works you'll get your job done and I don't see the problem of making that even if it was intended for another use

answered Dec 22 '20 at 08:01

therealwalim

252
1
4
18

score 0 · Accepted Answer · answered Dec 28 '20 at 16:15

It seems Sanctum cannot handle this case, because if request is from the frontend, it applies session based auth checks.

I have however proposed a possible update that can make this possible. Hopefully, it will be considered for implementation.

In the meantime, a sane workaround that does not pose any serious security threat for my use-case is to increase the session timeout

Laravel 8: to make an SPA never suffer from 419-error, is it appropriate to use Sanctum and put routes in api routes?

2 Answers2