Ignoring of request headers

[jackkitley]

If i use the url and try authenticate via the docs i always get a error as it was the CSRF token which is not needed for the sanctum api request.

If i export to postman and click the button to post to auth then i get the response i am looking for..

If i try postman i get the correct response:

[kevincobain2000]

Hi, thanks for reporting.
Let me have a look.
If I remove adding X-CSRF-TOKEN to headers when it's value is empty, would work for you?

[kevincobain2000]

Like this: #68

[jackkitley]

This is the request that is not working from the documents. I caught the request in console:

Result:

{"status":500,"success":false,"error":{"code":500,"message":"CSRF token mismatch."}}

curl 'http://localhost/api/auth'
-H 'Accept: application/json, text/plain, /'
-H 'Accept-Language: en-GB,en-US;q=0.9,en;q=0.8'
-H 'Authorization: Bearer'
-H 'Cache-Control: no-cache'
-H 'Connection: keep-alive'
-H 'Content-Type: application/json;charset=UTF-8'
-H 'Cookie: JSESSIONID.2b84989e=node07l6xggrciay8jx7295segy967.node0; JSESSIONID.5353d309=node01l7d23qeq46bnqv7uhe64qtfl2.node0; jenkins-timestamper-offset=-7200000; JSESSIONID.e0139d4a=node01jc68r3nruauq1qryxpvtsuy359.node0; screenResolution=1920x1080; JSESSIONID.c93846e1=node07tt6op3njuqywuwa128iem0p0.node0; JSESSIONID.25ec0c08=node026o0go5nquq1daizxvtuj3552.node0; JSESSIONID.afa366ea=node088cymhiju4gx19jtkaaaaktcn4.node0; JSESSIONID.b2d12f37=node0h6phxoodtlw21892ftjp56vrs0.node0; JSESSIONID.8df212d3=node01a7m3arx63ovt12qkzl4m9z4430.node0; JSESSIONID.9a3073d2=node061k4j5olaxo6lphqxghvnkt70.node0; JSESSIONID.5b57156e=node01nd9y4s0s8zpj19alodss0fy510.node0; JSESSIONID.ed350b34=node01olt5dl2iulbfytkij40v3b6m2.node0; JSESSIONID.d79d91e4=node019bleri6n83s21t63gh4sbqvbr0.node0; XDEBUG_PROFILE=; PHPSESSID=90300e5a16bdf041b4fa3a54453ef9bd; _ga=GA1.1.975793485.1650558215'
-H 'Origin: http://localhost'
-H 'Pragma: no-cache'
-H 'Referer: http://localhost/request_doc'
-H 'Sec-Fetch-Dest: empty'
-H 'Sec-Fetch-Mode: cors'
-H 'Sec-Fetch-Site: same-origin'
-H 'Sec-GPC: 1'
-H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.79 Safari/537.36'
-H 'X-CSRF-TOKEN: '
-H 'X-Request-LRD: lrd'
--data-raw '{"email":"","password":""}'
--compressed

This is working from postman extract:

curl --location --request POST 'http://localhost/api/auth'
--header 'Content-Type: application/json'
--header 'Accept: application/json'
--data-raw '{
"email": "",
"password": ""
}'

[jackkitley]

If i take out

-H 'Origin: http://localhost'
-H 'Referer: http://localhost/request_doc' \

then it works. Wonder if its Cors

[kevincobain2000]

Interesting. I don't think it is cors issue, but trusthosts or trust proxies issues, which you try to change it inside your project.

class TrustProxies extends Middleware
{
    /**
     * The trusted proxies for this application.
     *
     * @var array|string|null
     */
    protected $proxies = ['127.0.0.1', 'localhost'];

Not sure, I ll try and reproduce on my local

[jackkitley]

Interesting. I don't think it is cors issue, but trusthosts or trust proxies issues, which you try to change it inside your project.

class TrustProxies extends Middleware
{
    /**
     * The trusted proxies for this application.
     *
     * @var array|string|null
     */
    protected $proxies = ['127.0.0.1', 'localhost'];

Not sure, I ll try and reproduce on my local

Ok, not a cors issue.

{
"message": "CSRF token mismatch.",
"exception": "Symfony\Component\HttpKernel\Exception\HttpException",
"file": "/var/www/html/vendor/laravel/framework/src/Illuminate/Foundation/Exceptions/Handler.php",
"line": 357,
"trace": [
{
"file": "/var/www/html/vendor/laravel/framework/src/Illuminate/Foundation/Exceptions/Handler.php",
"line": 331,
"function": "prepareException",
"class": "Illuminate\Foundation\Exceptions\Handler",
"type": "->"
},

This is with the docs. My api works with sanctum

[jackkitley]

I generated the docs again and now its working. very strange. thanks

[kevincobain2000]

Thanks for the update buddy @jackkitley

[jackkitley]

@kevincobain2000 Happening again.

[jackkitley]

also getting this in console:

I use docker. Not sure if this should resolve somehow?

[jackkitley]

I replicated the issue which is a strange one for the API docs. When you authenticate via the website and get a session and then go back to the api docs and click run then it all works again? very strange.

[kevincobain2000]

Well, that is the correct behavior. The API docs are just like any other page. Once you are logged into your domain, the cookies for session etc are set by Laravel. And when the API call is made, the api is able to authenticate the user.