Sanctum 3.2.4 causes CSRF token mismatch error #444

sts-ryan-holton · 2023-05-02T10:14:53Z

Sanctum Version

3.2.4

Laravel Version

10.9.0

PHP Version

8.1.13

Database Driver & Version

MySQL 8.x

Description

After upgrading from 3.2.3 to 3.2.4 and making no configuration changes to my project, making POST requests to my API endpoints throws a "CSRF token mismatch." error. When simply downgrading back to 3.2.3 everything works as intended.

It's noted that I'm working on localhost.

It looks like this function in a recent change is responsible, and after some debugging of it myself, the returned $domain value appears to be giving the following value when working on localhost:

"localhost/"

Note the trailing slash. I think this is causing something to break in validating the token since my SESSION_DOMAIN value is just "localhost".

Error...

{
    "message": "CSRF token mismatch.",
    "exception": "Symfony\\Component\\HttpKernel\\Exception\\HttpException",
    "file": "/Users/ryanholton/Sites/bume-project/bume-api/vendor/laravel/framework/src/Illuminate/Foundation/Exceptions/Handler.php",
    "line": 413,
}

Steps To Reproduce

Upgrade from 3.2.3 to 3.2.4
Keep host variable set as "localhost"

Additional context

Weirdly, on 3.2.4 the token mismatch error was only ever thrown on POST requests to the store action. GET requesst to other actions continued to work.

For now I've downgraded a version.

There's no notes listed in the upgrade file.

The text was updated successfully, but these errors were encountered:

Mishanki · 2023-05-03T08:13:27Z

I have same problem witn Laravel 10 REST API.
REST API is stateless.

How to resolve problem?
Exclude DOMAIN from stateful list.

'stateful' => explode(',', env('SANCTUM_STATEFUL_DOMAINS', sprintf(
      '%s%s',
      'localhost,localhost:3000,127.0.0.1,127.0.0.1:8000,::1',
      Sanctum::currentApplicationUrlWithPort()
)))

In .env define SANCTUM_STATEFUL_DOMAINS with empty domain.

taylorotwell · 2023-05-03T13:15:56Z

Please try 3.2.5.

sts-ryan-holton · 2023-05-03T14:03:31Z

I've just updated to 3.2.5 and appears to be working on first glance. I'd like to keep this issue open for a few days for observations.

@taylorotwell What does the newest changes around middleware solve? We've noticed several implementations and rollbacks recently on this - just curious what this change is?

driesvints · 2023-05-03T14:07:12Z

@sts-ryan-holton thanks for confirming that. If it solves your issue then there's no reason to keep this open.

rocalex · 2023-07-06T16:44:01Z

I have same problem.
I'm calling API from next.js app.

Frontend: http://localhost:3000
Backend: https://api.barren.cn

How to solve this problem?

rocalex · 2023-07-06T16:45:04Z

rocalex · 2023-07-06T16:46:48Z

{
    "message": "CSRF token mismatch.",
    "exception": "Symfony\\Component\\HttpKernel\\Exception\\HttpException",
    "file": "/Volumes/DATA/SourceCode/barren/backend/vendor/laravel/framework/src/Illuminate/Foundation/Exceptions/Handler.php",
    "line": 396,
    "trace": [
        {
            "file": "/Volumes/DATA/SourceCode/barren/backend/vendor/laravel/framework/src/Illuminate/Foundation/Exceptions/Handler.php",
            "line": 367,
            "function": "prepareException",
            "class": "Illuminate\\Foundation\\Exceptions\\Handler",
            "type": "->"
        },
        {
            "file": "/Volumes/DATA/SourceCode/barren/backend/vendor/laravel/framework/src/Illuminate/Routing/Pipeline.php",
            "line": 51,
            "function": "render",
            "class": "Illuminate\\Foundation\\Exceptions\\Handler",
            "type": "->"
        },
        {
            "file": "/Volumes/DATA/SourceCode/barren/backend/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php",
            "line": 185,
            "function": "handleException",
            "class": "Illuminate\\Routing\\Pipeline",
            "type": "->"
        },
        {
            "file": "/Volumes/DATA/SourceCode/barren/backend/vendor/laravel/framework/src/Illuminate/Session/Middleware/StartSession.php",
            "line": 121,
            "function": "Illuminate\\Pipeline\\{closure}",
            "class": "Illuminate\\Pipeline\\Pipeline",
            "type": "->"
        },
        {
            "file": "/Volumes/DATA/SourceCode/barren/backend/vendor/laravel/framework/src/Illuminate/Session/Middleware/StartSession.php",
            "line": 64,
            "function": "handleStatefulRequest",
            "class": "Illuminate\\Session\\Middleware\\StartSession",
            "type": "->"
        },
        {
            "file": "/Volumes/DATA/SourceCode/barren/backend/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php",
            "line": 180,
            "function": "handle",
            "class": "Illuminate\\Session\\Middleware\\StartSession",
            "type": "->"
        },
        {
            "file": "/Volumes/DATA/SourceCode/barren/backend/vendor/laravel/framework/src/Illuminate/Cookie/Middleware/AddQueuedCookiesToResponse.php",
            "line": 37,
            "function": "Illuminate\\Pipeline\\{closure}",
            "class": "Illuminate\\Pipeline\\Pipeline",
            "type": "->"
        },
        {
            "file": "/Volumes/DATA/SourceCode/barren/backend/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php",
            "line": 180,
            "function": "handle",
            "class": "Illuminate\\Cookie\\Middleware\\AddQueuedCookiesToResponse",
            "type": "->"
        },
        {
            "file": "/Volumes/DATA/SourceCode/barren/backend/vendor/laravel/framework/src/Illuminate/Cookie/Middleware/EncryptCookies.php",
            "line": 67,
            "function": "Illuminate\\Pipeline\\{closure}",
            "class": "Illuminate\\Pipeline\\Pipeline",
            "type": "->"
        },
        {
            "file": "/Volumes/DATA/SourceCode/barren/backend/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php",
            "line": 180,
            "function": "handle",
            "class": "Illuminate\\Cookie\\Middleware\\EncryptCookies",
            "type": "->"
        },
        {
            "file": "/Volumes/DATA/SourceCode/barren/backend/vendor/laravel/sanctum/src/Http/Middleware/EnsureFrontendRequestsAreStateful.php",
            "line": 60,
            "function": "Illuminate\\Pipeline\\{closure}",
            "class": "Illuminate\\Pipeline\\Pipeline",
            "type": "->"
        },
        {
            "file": "/Volumes/DATA/SourceCode/barren/backend/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php",
            "line": 162,
            "function": "Laravel\\Sanctum\\Http\\Middleware\\{closure}",
            "class": "Laravel\\Sanctum\\Http\\Middleware\\EnsureFrontendRequestsAreStateful",
            "type": "->"
        },
        {
            "file": "/Volumes/DATA/SourceCode/barren/backend/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php",
            "line": 116,
            "function": "Illuminate\\Pipeline\\{closure}",
            "class": "Illuminate\\Pipeline\\Pipeline",
            "type": "->"
        },
        {
            "file": "/Volumes/DATA/SourceCode/barren/backend/vendor/laravel/sanctum/src/Http/Middleware/EnsureFrontendRequestsAreStateful.php",
            "line": 24,
            "function": "then",
            "class": "Illuminate\\Pipeline\\Pipeline",
            "type": "->"
        },
        {
            "file": "/Volumes/DATA/SourceCode/barren/backend/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php",
            "line": 180,
            "function": "handle",
            "class": "Laravel\\Sanctum\\Http\\Middleware\\EnsureFrontendRequestsAreStateful",
            "type": "->"
        },
        {
            "file": "/Volumes/DATA/SourceCode/barren/backend/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php",
            "line": 116,
            "function": "Illuminate\\Pipeline\\{closure}",
            "class": "Illuminate\\Pipeline\\Pipeline",
            "type": "->"
        },
        {
            "file": "/Volumes/DATA/SourceCode/barren/backend/vendor/laravel/framework/src/Illuminate/Routing/Router.php",
            "line": 797,
            "function": "then",
            "class": "Illuminate\\Pipeline\\Pipeline",
            "type": "->"
        },
        {
            "file": "/Volumes/DATA/SourceCode/barren/backend/vendor/laravel/framework/src/Illuminate/Routing/Router.php",
            "line": 776,
            "function": "runRouteWithinStack",
            "class": "Illuminate\\Routing\\Router",
            "type": "->"
        },
        {
            "file": "/Volumes/DATA/SourceCode/barren/backend/vendor/laravel/framework/src/Illuminate/Routing/Router.php",
            "line": 740,
            "function": "runRoute",
            "class": "Illuminate\\Routing\\Router",
            "type": "->"
        },
        {
            "file": "/Volumes/DATA/SourceCode/barren/backend/vendor/laravel/framework/src/Illuminate/Routing/Router.php",
            "line": 729,
            "function": "dispatchToRoute",
            "class": "Illuminate\\Routing\\Router",
            "type": "->"
        },
        {
            "file": "/Volumes/DATA/SourceCode/barren/backend/vendor/laravel/framework/src/Illuminate/Foundation/Http/Kernel.php",
            "line": 190,
            "function": "dispatch",
            "class": "Illuminate\\Routing\\Router",
            "type": "->"
        },
        {
            "file": "/Volumes/DATA/SourceCode/barren/backend/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php",
            "line": 141,
            "function": "Illuminate\\Foundation\\Http\\{closure}",
            "class": "Illuminate\\Foundation\\Http\\Kernel",
            "type": "->"
        },
        {
            "file": "/Volumes/DATA/SourceCode/barren/backend/vendor/laravel/framework/src/Illuminate/Foundation/Http/Middleware/TransformsRequest.php",
            "line": 21,
            "function": "Illuminate\\Pipeline\\{closure}",
            "class": "Illuminate\\Pipeline\\Pipeline",
            "type": "->"
        },
        {
            "file": "/Volumes/DATA/SourceCode/barren/backend/vendor/laravel/framework/src/Illuminate/Foundation/Http/Middleware/ConvertEmptyStringsToNull.php",
            "line": 31,
            "function": "handle",
            "class": "Illuminate\\Foundation\\Http\\Middleware\\TransformsRequest",
            "type": "->"
        },
        {
            "file": "/Volumes/DATA/SourceCode/barren/backend/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php",
            "line": 180,
            "function": "handle",
            "class": "Illuminate\\Foundation\\Http\\Middleware\\ConvertEmptyStringsToNull",
            "type": "->"
        },
        {
            "file": "/Volumes/DATA/SourceCode/barren/backend/vendor/laravel/framework/src/Illuminate/Foundation/Http/Middleware/TransformsRequest.php",
            "line": 21,
            "function": "Illuminate\\Pipeline\\{closure}",
            "class": "Illuminate\\Pipeline\\Pipeline",
            "type": "->"
        },
        {
            "file": "/Volumes/DATA/SourceCode/barren/backend/vendor/laravel/framework/src/Illuminate/Foundation/Http/Middleware/TrimStrings.php",
            "line": 40,
            "function": "handle",
            "class": "Illuminate\\Foundation\\Http\\Middleware\\TransformsRequest",
            "type": "->"
        },
        {
            "file": "/Volumes/DATA/SourceCode/barren/backend/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php",
            "line": 180,
            "function": "handle",
            "class": "Illuminate\\Foundation\\Http\\Middleware\\TrimStrings",
            "type": "->"
        },
        {
            "file": "/Volumes/DATA/SourceCode/barren/backend/vendor/laravel/framework/src/Illuminate/Foundation/Http/Middleware/ValidatePostSize.php",
            "line": 27,
            "function": "Illuminate\\Pipeline\\{closure}",
            "class": "Illuminate\\Pipeline\\Pipeline",
            "type": "->"
        },
        {
            "file": "/Volumes/DATA/SourceCode/barren/backend/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php",
            "line": 180,
            "function": "handle",
            "class": "Illuminate\\Foundation\\Http\\Middleware\\ValidatePostSize",
            "type": "->"
        },
        {
            "file": "/Volumes/DATA/SourceCode/barren/backend/vendor/laravel/framework/src/Illuminate/Foundation/Http/Middleware/PreventRequestsDuringMaintenance.php",
            "line": 86,
            "function": "Illuminate\\Pipeline\\{closure}",
            "class": "Illuminate\\Pipeline\\Pipeline",
            "type": "->"
        },
        {
            "file": "/Volumes/DATA/SourceCode/barren/backend/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php",
            "line": 180,
            "function": "handle",
            "class": "Illuminate\\Foundation\\Http\\Middleware\\PreventRequestsDuringMaintenance",
            "type": "->"
        },
        {
            "file": "/Volumes/DATA/SourceCode/barren/backend/vendor/laravel/framework/src/Illuminate/Http/Middleware/HandleCors.php",
            "line": 62,
            "function": "Illuminate\\Pipeline\\{closure}",
            "class": "Illuminate\\Pipeline\\Pipeline",
            "type": "->"
        },
        {
            "file": "/Volumes/DATA/SourceCode/barren/backend/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php",
            "line": 180,
            "function": "handle",
            "class": "Illuminate\\Http\\Middleware\\HandleCors",
            "type": "->"
        },
        {
            "file": "/Volumes/DATA/SourceCode/barren/backend/vendor/laravel/framework/src/Illuminate/Http/Middleware/TrustProxies.php",
            "line": 39,
            "function": "Illuminate\\Pipeline\\{closure}",
            "class": "Illuminate\\Pipeline\\Pipeline",
            "type": "->"
        },
        {
            "file": "/Volumes/DATA/SourceCode/barren/backend/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php",
            "line": 180,
            "function": "handle",
            "class": "Illuminate\\Http\\Middleware\\TrustProxies",
            "type": "->"
        },
        {
            "file": "/Volumes/DATA/SourceCode/barren/backend/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php",
            "line": 116,
            "function": "Illuminate\\Pipeline\\{closure}",
            "class": "Illuminate\\Pipeline\\Pipeline",
            "type": "->"
        },
        {
            "file": "/Volumes/DATA/SourceCode/barren/backend/vendor/laravel/framework/src/Illuminate/Foundation/Http/Kernel.php",
            "line": 165,
            "function": "then",
            "class": "Illuminate\\Pipeline\\Pipeline",
            "type": "->"
        },
        {
            "file": "/Volumes/DATA/SourceCode/barren/backend/vendor/laravel/framework/src/Illuminate/Foundation/Http/Kernel.php",
            "line": 134,
            "function": "sendRequestThroughRouter",
            "class": "Illuminate\\Foundation\\Http\\Kernel",
            "type": "->"
        },
        {
            "file": "/Volumes/DATA/SourceCode/barren/backend/public/index.php",
            "line": 51,
            "function": "handle",
            "class": "Illuminate\\Foundation\\Http\\Kernel",
            "type": "->"
        }
    ]
}

driesvints added the needs more info label May 3, 2023

driesvints closed this as completed May 3, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Sanctum 3.2.4 causes CSRF token mismatch error #444

Sanctum 3.2.4 causes CSRF token mismatch error #444

sts-ryan-holton commented May 2, 2023 •

edited

Mishanki commented May 3, 2023

taylorotwell commented May 3, 2023

sts-ryan-holton commented May 3, 2023

driesvints commented May 3, 2023

rocalex commented Jul 6, 2023

rocalex commented Jul 6, 2023

rocalex commented Jul 6, 2023

Sanctum 3.2.4 causes CSRF token mismatch error #444

Sanctum 3.2.4 causes CSRF token mismatch error #444

Comments

sts-ryan-holton commented May 2, 2023 • edited

Sanctum Version

Laravel Version

PHP Version

Database Driver & Version

Description

Steps To Reproduce

Additional context

Mishanki commented May 3, 2023

taylorotwell commented May 3, 2023

sts-ryan-holton commented May 3, 2023

driesvints commented May 3, 2023

rocalex commented Jul 6, 2023

rocalex commented Jul 6, 2023

rocalex commented Jul 6, 2023

sts-ryan-holton commented May 2, 2023 •

edited