I like how you always include the error ways before "fixing" them instead of doing everything "correct" on the first try. It gives a better insight into how and why.
I am completely stuck with the 401 Unauthorized error when trying to access api routes protected with sanctum. I tried everything I could, I just don't understand... I did watch your most recent video (ruclips.net/video/O6ibPLFfAh0/видео.html) in hope to solve my problem, but nothing seems to do the trick. The /sanctum/crsf-cookie and /login routes work. It's only the api ones protected by sanctum that are always unauthorized. Do I have to set the port of Postman to :5173? For infos, I am using Laravel 11.
Ok so I found the solution in this video : ruclips.net/video/_lfsvZZWsXE/видео.html. Am I forcing to use the Bearer token because Postman doesn't use the credentials?
I've spent all day dealing with this insanity and this was my salvation. I finally understand how this crap works now. This is how I know angels exist. Thank you!
Thanks, amazing video. Helped me a lot, I was trying to make it work through postman so I could understand how it works, and was struggling to make it work for months without success.
Great question - might turn it into a video/post! You need to send a csrf token with any non-GET request - so for post/put/patch/delete requests. Generally, all things (forms, buttons, actions) that make those types of request are behind a login/register screen so by the time you reach them, there's already a XSRF-TOKEN cookie in place. Once that cookie is set, it gets updated with every request made to the Laravel API, so there's no need to call the /sanctum/csrf-cookie endpoint again and again. You only need to call it before submitting any public-facing forms. For example: login, register, forgot password, reset password... a contact form anyone can fill in, etc. Hope that answers your question!
Hi Sir, I am following your tutorial about laravel api. I see that every time a request is made to the server (post, put,..), it will need to include a csrf token. But I see there are many other instructional videos on RUclips, no need to send csrf token when requesting with post method. Can you answer me? Thanks a lot!
hey! all post/put/patch/delete requests require a csrf token - unless the VerifyCsrfMiddleware is disabled. If you send me a video url + timestamp of such video, I can *probably* explain what's different
Thanks, really great video! Just wondering: it is the SPA authentication you showed us in this context, is it also okay (or even better?) to use Sanctum's API Token authentication in this Postman case?
postman is just a testing tool, so you can use it to test both approaches. none is better than the other - cookies for browsers, tokens for everything else
your videos are great. As I understand things, it appears that in order to use pure token approach (with say a flutter mobile client), as opposed to the cookie approach (for web SPA), i would just need to create my own user login/registration routes, and if there's no plan to have a SPA component, i could just delete the auth.php route file entirely? Or would you try to use the cookie approach when having only a mobile client?
Thanks! And yes, everything you said here is correct. Tokens for mobile apps, cookies for browsers, no need to keep auth.php. However, keep in mind that you will also have to consider the "I forgot my password" flow
More context : I added a devServer key in nuxt config : devServer: { host: "client.merchant-app.test", port: 3000 }, I added client.merchant-app.test to C:\Windows\System32\drivers\etc\hosts : localhost client.merchant-app.test but when I start npm run dev I got the following error : Unable to find any random port on host "client.merchant-app.test" Do you know how to resolve this ?
hey! no - sort of Sanctum relies on cookies. And one domain (example.test) cannot set cookies for a different domain (localhost). So both applications need to be on the same domain (you can still use subdomains). The only way to make it work is by using a proxy. I made a video here: ruclips.net/video/gKC7yvllsPE/видео.html
Hi @cdruc, I'm having an issue with postman. I didn''t received any cookies when i request on csrf-cookies endpoint it only say "No cookies received from the server". Do you know how to fix it?
That's weird, can you upload a screenshot somewhere with the exact parameters you're sending and the exact response you get back? I've never heard of such "No cookies received from the server" response.
I like how you always include the error ways before "fixing" them instead of doing everything "correct" on the first try. It gives a better insight into how and why.
Question: Why you call frontend url in pre request script in postman to get cookie, why not call the laravel sanctum/csrf-cookie URL?
Hello! Thanks for the video.
I’m having difficulties to do the same for Laravel sanctum with fortify.
Thank you so much, it is an amazing video that helped me with postman on this issue.
I am completely stuck with the 401 Unauthorized error when trying to access api routes protected with sanctum. I tried everything I could, I just don't understand... I did watch your most recent video (ruclips.net/video/O6ibPLFfAh0/видео.html) in hope to solve my problem, but nothing seems to do the trick. The /sanctum/crsf-cookie and /login routes work. It's only the api ones protected by sanctum that are always unauthorized. Do I have to set the port of Postman to :5173? For infos, I am using Laravel 11.
Ok so I found the solution in this video : ruclips.net/video/_lfsvZZWsXE/видео.html. Am I forcing to use the Bearer token because Postman doesn't use the credentials?
The provided permissions might be the issue.
I have watched several videos and all are super awesome. Very very easy to understand! You are great teacher!
I've spent all day dealing with this insanity and this was my salvation. I finally understand how this crap works now.
This is how I know angels exist. Thank you!
Is it possible to authenticate in a react native app using laravel breeze API package? Please help me
Yes - use Sanctum token based auth. Store the token using expo SecureStore
Your other videos on Laravel sanctum really helped me. I am so glad to see this too
Amazing, thank you!
Thanks, so much interesting 👍
Very helpful content. You shared very important info that saves headaches, decoding the CSRF token.
You are my Hero !
Thanks, amazing video. Helped me a lot, I was trying to make it work through postman so I could understand how it works, and was struggling to make it work for months without success.
Great thx!!!
Many Thanks
Got error 405 method not allowed
You should cover the problems not the best scenarios.
and use ->middleware('auth:sanctum'); instead of ->middleware('auth:api');
@@Hassam-deno thank you for your response
These are the kind of hidden gems is really hard to find when understanding the details of authentication
good video. what about some other POST request?we must get csrf-cookie again?
Generally no - there's no need to get the csrf-cookie again
@@cdruc When to crsf and when not to csrf ?
Great question - might turn it into a video/post!
You need to send a csrf token with any non-GET request - so for post/put/patch/delete requests.
Generally, all things (forms, buttons, actions) that make those types of request are behind a login/register screen so by the time you reach them, there's already a XSRF-TOKEN cookie in place.
Once that cookie is set, it gets updated with every request made to the Laravel API, so there's no need to call the /sanctum/csrf-cookie endpoint again and again.
You only need to call it before submitting any public-facing forms. For example: login, register, forgot password, reset password... a contact form anyone can fill in, etc.
Hope that answers your question!
Hi Sir, I am following your tutorial about laravel api. I see that every time a request is made to the server (post, put,..), it will need to include a csrf token. But I see there are many other instructional videos on RUclips, no need to send csrf token when requesting with post method. Can you answer me? Thanks a lot!
hey!
all post/put/patch/delete requests require a csrf token - unless the VerifyCsrfMiddleware is disabled.
If you send me a video url + timestamp of such video, I can *probably* explain what's different
Thanks, really great video! Just wondering: it is the SPA authentication you showed us in this context, is it also okay (or even better?) to use Sanctum's API Token authentication in this Postman case?
postman is just a testing tool, so you can use it to test both approaches.
none is better than the other - cookies for browsers, tokens for everything else
your videos are great. As I understand things, it appears that in order to use pure token approach (with say a flutter mobile client), as opposed to the cookie approach (for web SPA), i would just need to create my own user login/registration routes, and if there's no plan to have a SPA component, i could just delete the auth.php route file entirely? Or would you try to use the cookie approach when having only a mobile client?
Thanks! And yes, everything you said here is correct. Tokens for mobile apps, cookies for browsers, no need to keep auth.php. However, keep in mind that you will also have to consider the "I forgot my password" flow
Wow, this is truly exceptional.
Kudos to you for this useful video! 🙌
Excellent video, thanks!!
Thanks Constantin !Great vidéo again ❤
Please how did you alias the front-end url in production ?
More context :
I added a devServer key in nuxt config :
devServer: {
host: "client.merchant-app.test",
port: 3000
},
I added client.merchant-app.test to C:\Windows\System32\drivers\etc\hosts :
localhost client.merchant-app.test
but when I start npm run dev I got the following error :
Unable to find any random port on host "client.merchant-app.test"
Do you know how to resolve this ?
Could you please provide vscode theme link? Thanks
marketplace.visualstudio.com/items?itemName=sdras.night-owl
im getting pages expired, please help
@cdruc will it work if backend and frontend is on different domains? for example Frontend is on localhost, and backend is on example.test
hey! no - sort of
Sanctum relies on cookies. And one domain (example.test) cannot set cookies for a different domain (localhost). So both applications need to be on the same domain (you can still use subdomains).
The only way to make it work is by using a proxy. I made a video here: ruclips.net/video/gKC7yvllsPE/видео.html
thanks a lot@@cdruc
thx brooo
Hi @cdruc, I'm having an issue with postman. I didn''t received any cookies when i request on csrf-cookies endpoint it only say "No cookies received from the server". Do you know how to fix it?
That's weird, can you upload a screenshot somewhere with the exact parameters you're sending and the exact response you get back? I've never heard of such "No cookies received from the server" response.
maybe you just didn't run the server: php artisan serve
@@cdruc same issue here. Using Postman v10.22.6
console.log(err, cookie) null null