CSRF Token Mismatch

[another-novelty]

Hi!

When the callback returns from the apple servers I get a 419 error from Laravel. Disabling the VerifyCsrfToken middleware fixes this but is obviously not a fix.

Laravel framework version: v8.13.0 laravel-sign-in-with-apple version: 0.5.0 socialite version: 5.1.0

My naive guess is that this is actually a laravel, apple or configuration issue as the request somehow returns with a POST instead of a GET with the state token in the request instead of the header.

[yaroslavolekh]

The same issue

[mikebronner]

It sounds like you need to exclude your webhooks from being checked for CSRF tokens, but I have never had this issue. Please provide a working example repo that demonstrates this issue, if you would like me to look into this. At this point I have nothing to go on.

[mirko77]

Well, Apple sends back a POST request without the CSRF Token Laravel is expecting.

I personally added the CSRF as a nonce parameter which is sent back by Apple and check it manually.

In VerifyCsrfToken.php the Apple redirect URI needs to be excluded.

protected $except = [
        'handle/apple/callback',
    ];

What I have not figured out yet is how to define handle/apple/callback in the .env instead of hardcoding it

[gustafsilva]

The same issue

[mikebronner]

@mirko77 @gustafsilva Could either of you provide an example test repo that demonstrates this issue?

[esa-kian]

Well, Apple sends back a POST request without the CSRF Token Laravel is expecting.

I personally added the CSRF as a nonce parameter which is sent back by Apple and check it manually.

In VerifyCsrfToken.php the Apple redirect URI needs to be excluded.

protected $except = [
        'handle/apple/callback',
    ];

What I have not figured out yet is how to define handle/apple/callback in the .env instead of hardcoding it

I tried this and it works for me, thanks @mirko77