Skip ensure stateful middleware if token present #475
Closed
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Previous pull request #473
If SPA Authentication is used, documentation suggests enabling EnsureFrontendRequestsAreStateful middleware for api and populating first party endpoints in SANCTUM_STATEFUL_DOMAINS env variable.
This means token authentication from these domains does not work.
What if you want to use both SPA Authentication and API Token Authentication from the same domain?
Consider following scenario:
One possible solution is to host this documentation on another domain.
However I started thinking, is there a reason to check for csrf for API endpoints if valid bearer token is provided?
I'm planning to override this middleware in my own application.
Rare scenario, but something to consider.