I like how you always include the error ways before "fixing" them instead of doing everything "correct" on the first try. It gives a better insight into how and why.
I've spent all day dealing with this insanity and this was my salvation. I finally understand how this crap works now. This is how I know angels exist. Thank you!
Thanks, amazing video. Helped me a lot, I was trying to make it work through postman so I could understand how it works, and was struggling to make it work for months without success.
Thanks, really great video! Just wondering: it is the SPA authentication you showed us in this context, is it also okay (or even better?) to use Sanctum's API Token authentication in this Postman case?
postman is just a testing tool, so you can use it to test both approaches. none is better than the other - cookies for browsers, tokens for everything else
your videos are great. As I understand things, it appears that in order to use pure token approach (with say a flutter mobile client), as opposed to the cookie approach (for web SPA), i would just need to create my own user login/registration routes, and if there's no plan to have a SPA component, i could just delete the auth.php route file entirely? Or would you try to use the cookie approach when having only a mobile client?
Thanks! And yes, everything you said here is correct. Tokens for mobile apps, cookies for browsers, no need to keep auth.php. However, keep in mind that you will also have to consider the "I forgot my password" flow
More context : I added a devServer key in nuxt config : devServer: { host: "client.merchant-app.test", port: 3000 }, I added client.merchant-app.test to C:\Windows\System32\drivers\etc\hosts : localhost client.merchant-app.test but when I start npm run dev I got the following error : Unable to find any random port on host "client.merchant-app.test" Do you know how to resolve this ?
Hi Sir, I am following your tutorial about laravel api. I see that every time a request is made to the server (post, put,..), it will need to include a csrf token. But I see there are many other instructional videos on RU-vid, no need to send csrf token when requesting with post method. Can you answer me? Thanks a lot!
hey! all post/put/patch/delete requests require a csrf token - unless the VerifyCsrfMiddleware is disabled. If you send me a video url + timestamp of such video, I can *probably* explain what's different
Great question - might turn it into a video/post! You need to send a csrf token with any non-GET request - so for post/put/patch/delete requests. Generally, all things (forms, buttons, actions) that make those types of request are behind a login/register screen so by the time you reach them, there's already a XSRF-TOKEN cookie in place. Once that cookie is set, it gets updated with every request made to the Laravel API, so there's no need to call the /sanctum/csrf-cookie endpoint again and again. You only need to call it before submitting any public-facing forms. For example: login, register, forgot password, reset password... a contact form anyone can fill in, etc. Hope that answers your question!
hey! no - sort of Sanctum relies on cookies. And one domain (example.test) cannot set cookies for a different domain (localhost). So both applications need to be on the same domain (you can still use subdomains). The only way to make it work is by using a proxy. I made a video here: ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-gKC7yvllsPE.html
Hi @cdruc, I'm having an issue with postman. I didn''t received any cookies when i request on csrf-cookies endpoint it only say "No cookies received from the server". Do you know how to fix it?
That's weird, can you upload a screenshot somewhere with the exact parameters you're sending and the exact response you get back? I've never heard of such "No cookies received from the server" response.
I am completely stuck with the 401 Unauthorized error when trying to access api routes protected with sanctum. I tried everything I could, I just don't understand... I did watch your most recent video (ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-O6ibPLFfAh0.html) in hope to solve my problem, but nothing seems to do the trick. The /sanctum/crsf-cookie and /login routes work. It's only the api ones protected by sanctum that are always unauthorized. Do I have to set the port of Postman to :5173? For infos, I am using Laravel 11.
Ok so I found the solution in this video : ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-_lfsvZZWsXE.html. Am I forcing to use the Bearer token because Postman doesn't use the credentials?
