Skip ensure stateful middleware if token present #475
Conversation
|
I think Sanctum is fine. To be honest, I don't fully even follow your issue. |
If SANCTUM_STATEFUL_DOMAINS contains test.com you cannot use API tokens in test.com If you'd want both Session and API token authentication for the same domain, it is not possible. If client includes an Authorization header / API token, it's likely they intent to Authorize with the Authorization header / API token. Requiring session in this case I feel is a bit odd, since if attacker already has valid token then it's game lost anyway. Of course, if you decide that different forms of authentication should be never mixed this way and every domain should only use one type of authentication, that's a completely valid point too. And possibly more robust philosophy too. |
|
To further clarify with authentication I'm talking about authenticating frontend, API tokens of course do work without Referer header. One example is an interactive API documentation, like swagger UI, on your otherwise session protected site. |
Previous pull request #473
If SPA Authentication is used, documentation suggests enabling EnsureFrontendRequestsAreStateful middleware for api and populating first party endpoints in SANCTUM_STATEFUL_DOMAINS env variable.
This means token authentication from these domains does not work.
What if you want to use both SPA Authentication and API Token Authentication from the same domain?
Consider following scenario:
One possible solution is to host this documentation on another domain.
However I started thinking, is there a reason to check for csrf for API endpoints if valid bearer token is provided?
I'm planning to override this middleware in my own application.
Rare scenario, but something to consider.