Laravel XSRF-TOKEN cookie being stored with URL encoding incorrectly

[boardy]

When working with Laravel API project using Sanctum for authentication and CSRF protection, when the XSRF-TOKEN is stored in the cookie store, it seems to be URL encoded incorrectly as the cookie string usually ends in = but Insomnia stores it as %3D.

For example, I get the following XSRF-TOKEN received and stored in the Insomnia Cookie Store

eyJpdiI6Iml5YWEreGVaYUw0WGc2QmxlVEhQOGc9PSIsInZhbHVlIjoieVU2bmdyTjMyNFM0d0dnb3RsM24rMDFhRnJNWHVLcGg2SU9YMHh5dW8yaTZSTWcxbGxtSFdaK0I5MzB4Ymc4QWZWSzhjN2R6Y1RUTTc0d1VIY2FUaVhGMVE4bzQvWVBmL1YvajAwY3ZUNlZ4VEZIRk12cloyV0owVmNYOUxEZTIiLCJtYWMiOiI4OTUyN2U1MGI3NmUyMjEzZjgyNDcxMjAwYmViYjRkNzAwYmQ1YWUxOGY5NTYyNTVhZDczMmQ0ZjdlNjQwMGFhIn0%3D

When it should be

eyJpdiI6Iml5YWEreGVaYUw0WGc2QmxlVEhQOGc9PSIsInZhbHVlIjoieVU2bmdyTjMyNFM0d0dnb3RsM24rMDFhRnJNWHVLcGg2SU9YMHh5dW8yaTZSTWcxbGxtSFdaK0I5MzB4Ymc4QWZWSzhjN2R6Y1RUTTc0d1VIY2FUaVhGMVE4bzQvWVBmL1YvajAwY3ZUNlZ4VEZIRk12cloyV0owVmNYOUxEZTIiLCJtYWMiOiI4OTUyN2U1MGI3NmUyMjEzZjgyNDcxMjAwYmViYjRkNzAwYmQ1YWUxOGY5NTYyNTVhZDczMmQ0ZjdlNjQwMGFhIn0=

Notice the = on the end as it should be instead of %3D which is what insomnia stores it as so this needs to be modified and manually updated each time to ensure Laravel can perform the CSRF protection.

[dimitropoulos]

Is it possible that you can make a mockbin.org that I could use to reproduce this?

[boardy]

Hi Dimitri,

I managed to replicate it using mockbin. If you send a POST request to http://mockbin.org/bin/54e06b59-0cd9-4cbf-b40c-f96883f7794f?foo=bar&foo=baz

It will generate a cookie called XSRF-TOKEN where the value should be HelloWorld= but Insomnia is showing it stored as HelloWorld%3D

Thanks

Chris Board

On Thu, 17 Jun 2021 at 14:28, Dimitri Mitropoulos @.***> wrote:

Is it possible that you can make a mockbin.org that I could use to reproduce this?

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/Kong/insomnia/issues/3482#issuecomment-863239340, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABCS2M3KM54BDLC5VWFEOE3TTHZ7DANCNFSM462JK5NA .

-- Chris Board Website Developer/Administrator Software Developer https://boardiesitsolutions.com https://support.boardiesitsolutions.com

[dimitropoulos]

perfect. was able to reproduce. thank you!

[abbluiz]

Just spent 5 hours on this until I found this issue. At least it has been recognized

[dimitropoulos]

@abbluiz I'm super sorry to hear that. I've totally been there too, myself, for what it's worth, so I can relate to how frustrating it is.

I've mentioned this to our product team and will hope we can take a closer look at it soon. To be transparent, the team is pretty hyper-focused on spaces right now so it won't be in the next release, but hopefully we can find time right after the first push of spaces.

[abbluiz]

@dimitropoulos Thank you. I actually found an insomnia plugin that happens to "fix" this, however it's probably better to have this fixed without using plugins anyways. It may help the team: https://insomnia.rest/plugins/insomnia-plugin-cookiedecode

[boardy]

Unless I'm missing something the plugin doesn't seem to work. I still need to manually edit the cookie each time.

I'm disappointed to hear that this isn't being given priority over a feature. As cookie handling is quite a vital part of a REST client app so I would have thought this should have a fairly high priority. I spent 5 days while learning Laravel thinking I was implementing wrong or misunderstanding the tutorial to discover Insomnia was the problem.

[abbluiz]

@boardy The plugin does not fix it being stored that way, but you can use it to send it back to Laravel by calling it through the Header section. You put X-XSRF-TOKEN and the decoded cookie as the value using the plugin. However, after getting past the 419 errors I was getting, I am still getting 401 errors when I try using protected API routes after login.

[boardy]

@abbluiz Ah yea that did it. Was thinking it was an automatic thing not a separate cookie option. Thanks

[adiachenko]

@abbluiz You need to provide Origin header to avoid 401 errors.

Anyway, the third-party plugin works, but I wish there was some built-in way to decode a value here:

[abbluiz]

@adiachenko Yeah, I figured out the other problems. Thank you, though. Also waiting for this built-in feature.

[garethredfern]

@abbluiz you are a legend! I lost hours trying to figure this out too. It's a shame because I love the simplicity of Insomnia but it looks like core bugs are not being looked at over features.

[tchartron]

Thank you @abbluiz for the workaround using the plugin, saved me lots of time. Would be great if this was a built-in feature