I like how you always include the error ways before "fixing" them instead of doing everything "correct" on the first try. It gives a better insight into how and why.
Thanks, amazing video. Helped me a lot, I was trying to make it work through postman so I could understand how it works, and was struggling to make it work for months without success.
I've spent all day dealing with this insanity and this was my salvation. I finally understand how this crap works now. This is how I know angels exist. Thank you!
your videos are great. As I understand things, it appears that in order to use pure token approach (with say a flutter mobile client), as opposed to the cookie approach (for web SPA), i would just need to create my own user login/registration routes, and if there's no plan to have a SPA component, i could just delete the auth.php route file entirely? Or would you try to use the cookie approach when having only a mobile client?
Thanks! And yes, everything you said here is correct. Tokens for mobile apps, cookies for browsers, no need to keep auth.php. However, keep in mind that you will also have to consider the "I forgot my password" flow
Thanks, really great video! Just wondering: it is the SPA authentication you showed us in this context, is it also okay (or even better?) to use Sanctum's API Token authentication in this Postman case?
postman is just a testing tool, so you can use it to test both approaches. none is better than the other - cookies for browsers, tokens for everything else
More context : I added a devServer key in nuxt config : devServer: { host: "client.merchant-app.test", port: 3000 }, I added client.merchant-app.test to C:\Windows\System32\drivers\etc\hosts : localhost client.merchant-app.test but when I start npm run dev I got the following error : Unable to find any random port on host "client.merchant-app.test" Do you know how to resolve this ?
hey! no - sort of Sanctum relies on cookies. And one domain (example.test) cannot set cookies for a different domain (localhost). So both applications need to be on the same domain (you can still use subdomains). The only way to make it work is by using a proxy. I made a video here: th-cam.com/video/gKC7yvllsPE/w-d-xo.html
Hi Sir, I am following your tutorial about laravel api. I see that every time a request is made to the server (post, put,..), it will need to include a csrf token. But I see there are many other instructional videos on TH-cam, no need to send csrf token when requesting with post method. Can you answer me? Thanks a lot!
hey! all post/put/patch/delete requests require a csrf token - unless the VerifyCsrfMiddleware is disabled. If you send me a video url + timestamp of such video, I can *probably* explain what's different
Great question - might turn it into a video/post! You need to send a csrf token with any non-GET request - so for post/put/patch/delete requests. Generally, all things (forms, buttons, actions) that make those types of request are behind a login/register screen so by the time you reach them, there's already a XSRF-TOKEN cookie in place. Once that cookie is set, it gets updated with every request made to the Laravel API, so there's no need to call the /sanctum/csrf-cookie endpoint again and again. You only need to call it before submitting any public-facing forms. For example: login, register, forgot password, reset password... a contact form anyone can fill in, etc. Hope that answers your question!
Hi @cdruc, I'm having an issue with postman. I didn''t received any cookies when i request on csrf-cookies endpoint it only say "No cookies received from the server". Do you know how to fix it?
That's weird, can you upload a screenshot somewhere with the exact parameters you're sending and the exact response you get back? I've never heard of such "No cookies received from the server" response.
I am completely stuck with the 401 Unauthorized error when trying to access api routes protected with sanctum. I tried everything I could, I just don't understand... I did watch your most recent video (th-cam.com/video/O6ibPLFfAh0/w-d-xo.html) in hope to solve my problem, but nothing seems to do the trick. The /sanctum/crsf-cookie and /login routes work. It's only the api ones protected by sanctum that are always unauthorized. Do I have to set the port of Postman to :5173? For infos, I am using Laravel 11.
Ok so I found the solution in this video : th-cam.com/video/_lfsvZZWsXE/w-d-xo.html. Am I forcing to use the Bearer token because Postman doesn't use the credentials?
I like how you always include the error ways before "fixing" them instead of doing everything "correct" on the first try. It gives a better insight into how and why.
Your other videos on Laravel sanctum really helped me. I am so glad to see this too
I have watched several videos and all are super awesome. Very very easy to understand! You are great teacher!
Thanks, amazing video. Helped me a lot, I was trying to make it work through postman so I could understand how it works, and was struggling to make it work for months without success.
Very helpful content. You shared very important info that saves headaches, decoding the CSRF token.
Thank you so much, it is an amazing video that helped me with postman on this issue.
Extremely helpful, thanks a lot!!
That is really helped me, thank you man
this is very helpful. its the best video . thanks for this
loved your video man. thanks
Kudos to you for this useful video! 🙌
Wow, this is truly exceptional.
These are the kind of hidden gems is really hard to find when understanding the details of authentication
I've spent all day dealing with this insanity and this was my salvation. I finally understand how this crap works now.
This is how I know angels exist. Thank you!
You are my Hero !
Thanks, so much interesting 👍
Amazing, thank you!
your videos are great. As I understand things, it appears that in order to use pure token approach (with say a flutter mobile client), as opposed to the cookie approach (for web SPA), i would just need to create my own user login/registration routes, and if there's no plan to have a SPA component, i could just delete the auth.php route file entirely? Or would you try to use the cookie approach when having only a mobile client?
Thanks! And yes, everything you said here is correct. Tokens for mobile apps, cookies for browsers, no need to keep auth.php. However, keep in mind that you will also have to consider the "I forgot my password" flow
Excellent video, thanks!!
Thanks, really great video! Just wondering: it is the SPA authentication you showed us in this context, is it also okay (or even better?) to use Sanctum's API Token authentication in this Postman case?
postman is just a testing tool, so you can use it to test both approaches.
none is better than the other - cookies for browsers, tokens for everything else
Many Thanks
Hello! Thanks for the video.
I’m having difficulties to do the same for Laravel sanctum with fortify.
Question: Why you call frontend url in pre request script in postman to get cookie, why not call the laravel sanctum/csrf-cookie URL?
Is it possible to authenticate in a react native app using laravel breeze API package? Please help me
Yes - use Sanctum token based auth. Store the token using expo SecureStore
Thanks Constantin !Great vidéo again ❤
Please how did you alias the front-end url in production ?
More context :
I added a devServer key in nuxt config :
devServer: {
host: "client.merchant-app.test",
port: 3000
},
I added client.merchant-app.test to C:\Windows\System32\drivers\etc\hosts :
localhost client.merchant-app.test
but when I start npm run dev I got the following error :
Unable to find any random port on host "client.merchant-app.test"
Do you know how to resolve this ?
@cdruc will it work if backend and frontend is on different domains? for example Frontend is on localhost, and backend is on example.test
hey! no - sort of
Sanctum relies on cookies. And one domain (example.test) cannot set cookies for a different domain (localhost). So both applications need to be on the same domain (you can still use subdomains).
The only way to make it work is by using a proxy. I made a video here: th-cam.com/video/gKC7yvllsPE/w-d-xo.html
thanks a lot@@cdruc
Great thx!!!
Hi Sir, I am following your tutorial about laravel api. I see that every time a request is made to the server (post, put,..), it will need to include a csrf token. But I see there are many other instructional videos on TH-cam, no need to send csrf token when requesting with post method. Can you answer me? Thanks a lot!
hey!
all post/put/patch/delete requests require a csrf token - unless the VerifyCsrfMiddleware is disabled.
If you send me a video url + timestamp of such video, I can *probably* explain what's different
good video. what about some other POST request?we must get csrf-cookie again?
Generally no - there's no need to get the csrf-cookie again
@@cdruc When to crsf and when not to csrf ?
Great question - might turn it into a video/post!
You need to send a csrf token with any non-GET request - so for post/put/patch/delete requests.
Generally, all things (forms, buttons, actions) that make those types of request are behind a login/register screen so by the time you reach them, there's already a XSRF-TOKEN cookie in place.
Once that cookie is set, it gets updated with every request made to the Laravel API, so there's no need to call the /sanctum/csrf-cookie endpoint again and again.
You only need to call it before submitting any public-facing forms. For example: login, register, forgot password, reset password... a contact form anyone can fill in, etc.
Hope that answers your question!
Hi @cdruc, I'm having an issue with postman. I didn''t received any cookies when i request on csrf-cookies endpoint it only say "No cookies received from the server". Do you know how to fix it?
That's weird, can you upload a screenshot somewhere with the exact parameters you're sending and the exact response you get back? I've never heard of such "No cookies received from the server" response.
maybe you just didn't run the server: php artisan serve
@@cdruc same issue here. Using Postman v10.22.6
console.log(err, cookie) null null
thank you, it's help me loat....
im getting pages expired, please help
Can you please also show your code in login
Could you please provide vscode theme link? Thanks
marketplace.visualstudio.com/items?itemName=sdras.night-owl
thx brooo
Got error 405 method not allowed
You should cover the problems not the best scenarios.
and use ->middleware('auth:sanctum'); instead of ->middleware('auth:api');
@@Hassam-deno thank you for your response
I am completely stuck with the 401 Unauthorized error when trying to access api routes protected with sanctum. I tried everything I could, I just don't understand... I did watch your most recent video (th-cam.com/video/O6ibPLFfAh0/w-d-xo.html) in hope to solve my problem, but nothing seems to do the trick. The /sanctum/crsf-cookie and /login routes work. It's only the api ones protected by sanctum that are always unauthorized. Do I have to set the port of Postman to :5173? For infos, I am using Laravel 11.
Ok so I found the solution in this video : th-cam.com/video/_lfsvZZWsXE/w-d-xo.html. Am I forcing to use the Bearer token because Postman doesn't use the credentials?
The provided permissions might be the issue.
In your /bootstrap/app.php file, inside the ->withMiddleware, add:
$middleware->append(StartSession::class);