search

amrnn90 / breeze-nuxt

An application / authentication starter kit frontend in Nuxt3 for Laravel Breeze.
MIT License
198 stars 33 forks source link

get auth data using header referer option #4

Closed thepnl closed 1 year ago

thepnl commented 2 years ago

Hello,

I've been using your breeze-nuxt and there is an issue that unauthorized data can be called without token option in header. As long as referer option is set in the header, any unauthorized data can be called.

Thanks

amrnn90 commented 2 years ago

Hi, when you say "any unauthorized data can be called", what do you mean by this exactly? Do you mean your Laravel app returns unauthorized data even though no token is sent? That should not be possible unless you are doing something wrong on Laravel's side, make sure you are using the sanctum middleware correctly.

However, if you mean that $larafetch is not redirecting to the /login page, then you might wanna try the latest update I made here, there was an issue with using navigateTo so I replaced it with calling the router directly.

thepnl commented 1 year ago

Now, it works fine. Is this only working for local server? because after I change backend and frontend name to domain name(https://api.domain.com for backend, https://domain.com for frontend), the login won't work.

thepnl commented 1 year ago

ERROR IS 419 MESSAGE: "CSRF token mismatch.", exception: "Symfony\Component\HttpKernel\Exception\HttpException",…

amrnn90 commented 1 year ago

Unfortunately the problem you are facing has nothing to do with this Nuxt starter, you will likely need to tinker with some cors or session configurations on Laravel's side, check out this thread and see if it helps you: https://github.com/laravel/sanctum/issues/11

specifically, try adding this to your config/session.php file:

 'domain' => '.domain.com'