Ability to choose the prefix and/or change full route for "/sanctum/csrf-cookie"

laravel / sanctum

Laravel Sanctum provides a featherweight authentication system for SPAs and simple APIs.

https://laravel.com/docs/sanctum

MIT License

2.77k stars 299 forks source link

Ability to choose the prefix and/or change full route for "/sanctum/csrf-cookie" #151

Closed darkylmnx closed 4 years ago

darkylmnx commented 4 years ago

For people doing full SPA and managing routes under the /api/ prefix group, it seems weird to have /sanctum/csrf-cookie as the CSRF initialize route, something lile /api/csrf-cookie would make more sens.

After some checks in the files, I saw that https://github.com/laravel/sanctum/blob/2.x/src/SanctumServiceProvider.php#L81 was where the routes where created. It seems there's a santum.prefix key that can be used for that, but the key does not appear in the said config file.

I think it should be there by default and also mentionned in the docs. I would also argue that the sanctum.routes should be documented with a clear way of defining a custom route for that endpoint if people do not want to have the word "CSRF" or so in the endpoint name which would show to attackers what framework is underlaying and what package is used.

Security-wise I don't know how much it's dangerous or not to have these kind of endpoints public.

driesvints commented 4 years ago

There's a sanctum.prefix config option.

darkylmnx commented 4 years ago

Either you didn't read my post at all or it seems issues aren't considered here.

As I wrote. I know there's a prefix but it's neither in the docs or in the config file and I was suggesting it should be.

Now other thing I wrote was, how to change the full url and not only the prefix. There again, I wrote it should be specified in the docs the procedure to do.

Le ven. 5 juin 2020 à 09:29, Dries Vints notifications@github.com a écrit :

Closed #151 https://github.com/laravel/sanctum/issues/151.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/laravel/sanctum/issues/151#event-3410041805, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAK4HNPBZKEDY2LWGI3E3ATRVCNFZANCNFSM4NTE6YSQ .

eleftrik commented 4 years ago

There's a sanctum.prefix config option.

Why isn't this option listed in the Sanctum official documentation nor can it be found in config/sanctum.php file?

By the way, thank you for solving my requirement :-)

driesvints commented 4 years ago

It isn't because we don't encourage it from being used. It's there for when people need it.

derekphilipau commented 4 years ago

I agree with @darkylmnx, especially for SPA projects where Laravel is only providing an API, it doesn't make sense to hide the sanctum.prefix option. In these cases, the auth routes are logically part of the API and should be accessed within whatever route group (e.g. '/api', '/api/v1', etc.) the API is already using.

Can you please clarify the reasons as to why setting sanctum.prefix is not "encouraged"? If there are serious security issues, perhaps the option should be removed. If there are no serious issues I suggest just putting this option in the config file so that developers don't have to search the source code or Github Issues in order to discover that the option exists at all.