must watch video for the developer who want to make separate front-end & back-end. usually i don't comment on youtube video but your video make me to comment & appreaciate your hard-word & effort you put in making this video. Thanks.
Are you kidding me? How does the internet even work with something like that URI decode so obscurely hidden away on this corner of youtube? If I get this thing working I'm gonna hammer away at the laravel maintainers' patience until they let me add all this to the docs! Thank you very much for taking the time to do this!
I just don't get it... Trying to make requests through Postman and was able to make it work and pre-fetch CSRF token before each request to the local app so it circumvents the CSRF error and I can login by either going to /api/sanctum/token or to a "normal" website login at "/login" URI... However! - When I login through /login I get "unauthenticated" response back after making another GET request through postman to "api/user", which judging by what I saw in your video shouldn't be the case (it should threat this login the same way as it does the "api/sanctum/token" login) ? The only way I can get the "api/user" to not give me "Unauthenticated" error is if I add the bearer token authorization with the request and enter the token I got back when calling "/api/sanctum/token" URI. Or am I missing something here and "api/" route authentication was never supposed to be "compatible" with the Fortify "/login" route authentication and the "cookie based authentication for Sanctum" that you mention in the video is basically just having to send CSRF token along with the bearer token in the headers of any API request made to "api/" routes in the app for extra protection?
THANK YOU FOR THIS! I created a clean Laravel 9 project to go through your tutorial. I have spent the last 8 or so hours on just your first 30 minutes! :') I am thoroughly documenting and testing along the way, and everything makes so much more sense now. Seriously-THANK YOU! I have been struggling with this part of my project.
Perfect class. You can use axios which automatically includes the X-XSRF-COOKIE in the header of all the following requests. Thank you very much, congratulations.
if i registered the user using Fortify register route then fortify will automatically login the user too at back-end & when i try to login user from nuxt front-end then laravel redirect to his back-end home page because at back-end side user already logged in which throw an error at front-end side & due to failed request loggedIn state of nuxt/auth package does'nt change to true. I hope you understand the condition. Any solution for this? what should i do? in-short i am trying to say that i can only make the request successful to login or register route for the first time or whenever I click on logout or throw request to logout at server then these login register routes work perfectly for the first time again.
This video lesson was extremely useful and the content is really easy to understand, I will refer it to my colleagues. From one professional to another, my most sincere thanks. 🤝
I can not thank you enough for your precious videos. I feel like there is a little mess in authentication in Laravel, and I wish you clear some doubts. as I understand, when a protected http request arrives to API it first goes through sanctum library to make sure that request was issued by an authenticated user. and lets assume that http request contains bearer token. Then, sanctum relates this token to the user by inspecting the tokens table in database. The request will be considered authenticated if the token in the request is a valid token for some user. I want to ask here, is my perspective right? And if it is right, how does sanctum relate to Laravel guards? and can I make any other object authenticatable by sanctum, like for example other kinds of users, and should I make a costume guard with a provider related to this other user? how can I relate those other users to tokens table and tell sanctum that the tokens in the http request maybe for other entities?
Your understanding about sanctum verifying the token is correct. Guards are just a way for you to tell laravel how to authorise an incoming request and which table to look for the authenticable entity. You can totally customise the guards used by sanctum in the sanctum.php config file, and of course, creating your own guard provider
Excellent video. Since you asked: the "voodoo magic cookie" you mention around 1:03:37 is the cookie that contains your actual session state data because you used the "cookie" SESSION_DRIVER option. If you were to decrypt the value of this cookie, you'd see the data that would normally be stored in a session file, cache system, etc (data like "_token", "_flash", "_previous", etc). In other words, the "livepost_session" cookie value (once decrypted) provides Laravel with your session token. Laravel then looks for a cookie on the request with that name (again, only because you are using the "cookie" session driver), and decrypts the value to get the actual session data. When using an alternate session driver, Laravel uses the same process (decrypting your session cookie to determine the "token"), but will then lookup the actual session data using whichever driver you've selected (cache, file, database, etc). Hope this helps!
Can you make a video about Laravel Scout and Elasticsearch? I want to see what is the right way to add data’s with relations into elasticsearch and search in elastic. Thank you for a great videos. I subscribed to your channel and turned on notifications 👍
I have a weird error and any help would be appreciated. I login the user, turn on 2FA by making a POST request to /user/two-factor-authentication. Then I grabbed the recovery codes at GET: /user/two-factor-recovery-codes. So I logged out, logged back in and login response was { "two_factor": false }, even tough I turned it on. So I tried to do a two-factor-challenge with a recovery code, but I got a 422 saying "The provided two factor recovery code was invalid." P.S Great video, you explained this topic really well.
@@Acadeaio thanks for the reply. I think I may have realized the problem. I did some more reading, and 2fa needs to be confirmes by typing in the code from authenticator app. Since I was making an api, I didn't have access to the svg in a browser. I still haven't confirmed this but I am quite positive this is the problem
must watch video for the developer who want to make separate front-end & back-end. usually i don't comment on youtube video but your video make me to comment & appreaciate your hard-word & effort you put in making this video. Thanks.
Thanks for your encouraging words Farhan!
Are you kidding me? How does the internet even work with something like that URI decode so obscurely hidden away on this corner of youtube? If I get this thing working I'm gonna hammer away at the laravel maintainers' patience until they let me add all this to the docs! Thank you very much for taking the time to do this!
Could you please update same with laravel 11.x due to many changes?
👍👍👍👍👍👍👍
This video is a salvation to my whole authentication struggle.
I just don't get it... Trying to make requests through Postman and was able to make it work and pre-fetch CSRF token before each request to the local app so it circumvents the CSRF error and I can login by either going to /api/sanctum/token or to a "normal" website login at "/login" URI... However!
- When I login through /login I get "unauthenticated" response back after making another GET request through postman to "api/user", which judging by what I saw in your video shouldn't be the case (it should threat this login the same way as it does the "api/sanctum/token" login) ?
The only way I can get the "api/user" to not give me "Unauthenticated" error is if I add the bearer token authorization with the request and enter the token I got back when calling "/api/sanctum/token" URI.
Or am I missing something here and "api/" route authentication was never supposed to be "compatible" with the Fortify "/login" route authentication and the "cookie based authentication for Sanctum" that you mention in the video is basically just having to send CSRF token along with the bearer token in the headers of any API request made to "api/" routes in the app for extra protection?
One of the greatest tutorials I've ever watched! THANK YOU VERY MUCH!
You're very welcome!
THANK YOU FOR THIS! I created a clean Laravel 9 project to go through your tutorial. I have spent the last 8 or so hours on just your first 30 minutes! :') I am thoroughly documenting and testing along the way, and everything makes so much more sense now. Seriously-THANK YOU! I have been struggling with this part of my project.
Glad it helped! Authentication is never easy, took me a while to get there as well with lots of trials and errors
Thank you! It's a very nice guide, I watched it with pleasure!
Perfect class. You can use axios which automatically includes the X-XSRF-COOKIE in the header of all the following requests.
Thank you very much, congratulations.
Thanks for the tips! I tried to use the bare-bone methods so we can see what's involved under the hood
I'm using axios but it's not including the X-XSRF-COOKIE in the header. Can you show me an example please?
after I set up sanctum, I cant hit the endpoints with postman anymore?
if i registered the user using Fortify register route then fortify will automatically login the user too at back-end & when i try to login user from nuxt front-end then laravel redirect to his back-end home page because at back-end side user already logged in which throw an error at front-end side & due to failed request loggedIn state of nuxt/auth package does'nt change to true. I hope you understand the condition. Any solution for this? what should i do?
in-short i am trying to say that i can only make the request successful to login or register route for the first time or whenever I click on logout or throw request to logout at server then these login register routes work perfectly for the first time again.
This video lesson was extremely useful and the content is really easy to understand, I will refer it to my colleagues. From one professional to another, my most sincere thanks. 🤝
I got unidefined status when I requested register route
Crystal clear explanation. Thanks for the effort.
Thank you! Excellent content
I can not thank you enough for your precious videos. I feel like there is a little mess in authentication in Laravel, and I wish you clear some doubts. as I understand, when a protected http request arrives to API it first goes through sanctum library to make sure that request was issued by an authenticated user. and lets assume that http request contains bearer token. Then, sanctum relates this token to the user by inspecting the tokens table in database. The request will be considered authenticated if the token in the request is a valid token for some user. I want to ask here, is my perspective right? And if it is right, how does sanctum relate to Laravel guards? and can I make any other object authenticatable by sanctum, like for example other kinds of users, and should I make a costume guard with a provider related to this other user? how can I relate those other users to tokens table and tell sanctum that the tokens in the http request maybe for other entities?
Your understanding about sanctum verifying the token is correct. Guards are just a way for you to tell laravel how to authorise an incoming request and which table to look for the authenticable entity. You can totally customise the guards used by sanctum in the sanctum.php config file, and of course, creating your own guard provider
this is awesome
Excellent video. Since you asked: the "voodoo magic cookie" you mention around 1:03:37 is the cookie that contains your actual session state data because you used the "cookie" SESSION_DRIVER option. If you were to decrypt the value of this cookie, you'd see the data that would normally be stored in a session file, cache system, etc (data like "_token", "_flash", "_previous", etc). In other words, the "livepost_session" cookie value (once decrypted) provides Laravel with your session token. Laravel then looks for a cookie on the request with that name (again, only because you are using the "cookie" session driver), and decrypts the value to get the actual session data. When using an alternate session driver, Laravel uses the same process (decrypting your session cookie to determine the "token"), but will then lookup the actual session data using whichever driver you've selected (cache, file, database, etc). Hope this helps!
Thanks for the input! Now that cleared my doubts!
Can you make a video about Laravel Scout and Elasticsearch? I want to see what is the right way to add data’s with relations into elasticsearch and search in elastic.
Thank you for a great videos. I subscribed to your channel and turned on notifications 👍
I'll consider it
@@Acadeaio thank you bro. I will wait for it ❤️
why i still get html return even i set false to view in fortify
Same problem here
Same here :( anyone figured out the cause?
@@saeed17 @Reaksmey Sunchhay Do you guys added key value pair Accept=>application/json in header?
@@reaksmeysunchhay8083 Add Accept => application/json in header part of the postman, under the url you can see header tab, just before body
@@sarmadali2352 Thanks bro, you're a legend! This fixed the issue for me :D
I tried this tutorial, but when register new user I got message Status: 419 unknown status. what happened with my project? Thank you
make sure you've included the csrf token in your request
Add Accept => application/json in header part of the postman, under the url you can see header tab, just before body - this solved that for me
I have a weird error and any help would be appreciated.
I login the user, turn on 2FA by making a POST request to /user/two-factor-authentication. Then I grabbed the recovery codes at GET: /user/two-factor-recovery-codes. So I logged out, logged back in and login response was { "two_factor": false }, even tough I turned it on. So I tried to do a two-factor-challenge with a recovery code, but I got a 422 saying "The provided two factor recovery code was invalid."
P.S Great video, you explained this topic really well.
hmm a bit tricky to debug without seeing the code. But what I can say is the recovery codes reset whenever you used a code to login.
@@Acadeaio thanks for the reply. I think I may have realized the problem. I did some more reading, and 2fa needs to be confirmes by typing in the code from authenticator app. Since I was making an api, I didn't have access to the svg in a browser.
I still haven't confirmed this but I am quite positive this is the problem