Laravel SPA Authentication - setup and common mistakes

Рет қаралды 53,819

cdruc

Жыл бұрын

Laravel & Nuxt 3 Authentication Guide: • Video

Пікірлер: 214

@cdruc 10 ай бұрын

Hey! This video is quite old and before axios used to add the x-xsrf-token header automatically. Now it no longer adds it, so you’ll have to do it yourself. Laravel Sanctum Auth: masteringauth.com

@macarenagd3954 Ай бұрын

Hello, your videos help me a lot. I am eagerly looking forward to the launch of your course. How are you doing it now with the new version? I'm using 1.7.2 and can't find a way to avoid getting a 401 error. I´m using withCredentials: true and withXSRFToken: true in my axios configuration. Thanks a lot man!

@DimZeta Жыл бұрын

This is one of the clearest and easiest to understand videos about Laravel Sanctum, but also about CORS and CSRF token. Thanks a lot!

@cdruc Жыл бұрын

You’re very welcome! glad you enjoyed it!

@teknotips188 Жыл бұрын

100% agree

@shofada Жыл бұрын

Wow! Diagrams and in-depth explanations. This is a sweet upgrade. Thanks for putting this together. Keep it up!

@thisisroushan_1337 3 ай бұрын

This was an incredibly in-depth video that really showed me why I was facing the errors I was facing. Thank you!

@kapa4208 Жыл бұрын

Definitely the clearest explanation of SPA authentication with Laravel and Vue. Thank you so much!

@kirinyetbrian 11 ай бұрын

This helped me a lot after struggling for three days.Thank you!

@REZAZIMohamedabdessamed Жыл бұрын

That's the most straight forward and cleaner explanation about Laravel sanctum auth and CORS.

@Redheadtama1 5 ай бұрын

Thank you so much for making these videos. After scouring the internet for months looking for help with my hobby project, I have finally found you and you are the only person who explains this stuff in simple terms! P.S. I have subscribed to your course. Looking forward to it :)

@ericksanabria5657 Жыл бұрын

wow! i have been struggling in my first spa project. I wiill reconfigure everything again. You have gained a new subscriber ty

@IntiMaldonado 7 ай бұрын

This is the best and most needed explanation online about setting up latavel api with spa front end 👌

@mostafakhaled6680 Жыл бұрын

you did a great job man , thanks for your time and efforts

@tukangkabel4997 Жыл бұрын

I like this! Brief explanation, clear and easy to understand. I'm waiting for a tutorial on creating or installing an admin template. After login this is done. Thanks

@turdakhov Жыл бұрын

Absolutly incredible tutorial. Thank you!

@janmichaelbesinga3867 Жыл бұрын

After watching for a couple of minutes, i realized i need to pause the video and hit like and subscribe. Kudos

@laracrafts195 2 ай бұрын

nice video, you made everything clear and precise without any issues

@neonneon8225 4 ай бұрын

Thank you so much, I resolved the problem I was faced with after watching your great video tutorial. Additionally, I learnt some extra important points from you. Thanks Sir.

@siyabdev 5 ай бұрын

Your exaplanation is just WOW

@sinaahmadpour3180 8 ай бұрын

After 10 years I finally understood the CORS issue completely! Thank you for the great material

@cdruc 8 ай бұрын

glad you found it useful! 👊

@LadyMariYo Жыл бұрын

Thank you for the thorough explanation!

@twentyfirstmen Жыл бұрын

Bro, You're so good at explaining, Thanks a lot, continue ❤❤💪🏼💪🏼

@azizmahon7013 Жыл бұрын

again you saved my life for the second time ! thank you from algeria !!

@pedromartins5512 Жыл бұрын

You saved my project. Thanks 🙏

@user-en4cj3dn9p Жыл бұрын

Thank you very much! I could not solve such a problem for a long time.

@israeliloba 2 ай бұрын

Thank you so much, i have been on this error for two days now

@alexalex6163 24 күн бұрын

Thank you very much! I`ve learned a lot thanks to you.

@abdobouna Жыл бұрын

Very nice video, thank you for the insight.

@oketafred Жыл бұрын

Thanks Constantin awesome content as always

@cdruc Жыл бұрын

Glad you enjoyed it👊

@johnpaularcenal6516 8 ай бұрын

Saved my life! Thank You so much!!

@juniordev4190 Жыл бұрын

Extremely useful. Thank you for sharing.

@cdruc Жыл бұрын

Glad you find it helpful 👊

@ihorrud5088 Жыл бұрын

Thank you bro!Very good explanation.

@yohanlopes1847 11 ай бұрын

marvelous video, taught me a lot

@justinenemuadia9887 Жыл бұрын

Man, I came from the article. Thank you soooooooo muchh

@muhammadumarsotvoldiev8768 6 ай бұрын

Brilliant job!

@Samuel.Mwangi Жыл бұрын

Thanks Constantin as always.

@ersatztutor Жыл бұрын

It took me an embarrassingly long time to figure this out. At the end it was something specific to angulars xsrfmodule. Still this video made things clearer!

@banalexandru4393 Жыл бұрын

can you please explain what you did in Angular, my problem is that the xsrf cookie is not being set in the browser when I the request to the /api/csrf-token endpoint...

@banalexandru4393 Жыл бұрын

@@ersatztutor sure, i will try tomorrow and will get back to you, thank you!

@dibbyo456 Жыл бұрын

Finally something that actually works. Thank you so much.

@cdruc Жыл бұрын

Glad it helped 👊

@steevenjackson667 2 ай бұрын

Seriously. Thank you so much!!!

@johnedmersonpizarra9750 Жыл бұрын

Thank you so much for this tutorial 😭😭

@ngounthengos Жыл бұрын

thank you for your tips.

@cirobastosarana8228 Жыл бұрын

Muchas gracias, Great video!

@peterpardo4138 11 ай бұрын

Wow! Thank you for this!

@yukngide 5 ай бұрын

Thank you for the tutorial

@wahyunurarizky1911 Жыл бұрын

hello mr Druc, i'm your new subscriber. thanks for making great videos

@cdruc Жыл бұрын

Hello, Glad you find them useful!

@user-rw9tx8do5g 4 ай бұрын

Ты лучший! You're the best!

@milendimitrov6503 Жыл бұрын

Very nice video

@Naixik Жыл бұрын

Thank you for this vidéo, I lost 2 days to still find your solution !

@cdruc Жыл бұрын

Glad it helped!

@jondoe79 Жыл бұрын

Awesome 😎 as it should be.

@phenomenal3873 3 ай бұрын

you are a lifesaver

@salaheddineahansal Жыл бұрын

Thank you very much ❤🙏

@user-dl6rc7vs8g 5 ай бұрын

Thanks A lot. I struggling 2 days for those error.

@godofbrowser Жыл бұрын

Thanks for sharing

@geniygames4620 3 ай бұрын

Thank you for the video! I do everything the same as you, except installing laravel breeze. It does not work for me. Do I need to do anything additional if it works on a local host without breeze?

@chalvarenga96 Жыл бұрын

Excellent! I have a question, how can I do everything you did in the video but, instead of testing the endpoints with a frontend, test it with Postman? Is that possible?

@nicolairomanov9305 Жыл бұрын

Thank you!

@ioccodeioccode6138 Жыл бұрын

Thank you!!

@helioao 10 ай бұрын

Jesus! Saved my month! Thank you so much! I spent the last weeks asking WTHGO??? Why this does not work?!??!

@cdruc 10 ай бұрын

Glad you found it helpful! 👊

@helioao 9 ай бұрын

@@cdruc looks like a joke but I came here to stop losing time with a second project, and boo, I inverted the ports of frontend and backend (9001 and 9002). So thanks again.

@jaytherbua-ay886 8 ай бұрын

THANK FUGGING GOOOD! I almost punched every classmate near me asking questions

@nadjinmalade8738 Жыл бұрын

Thank a Lot.

@tomatomov9061 Жыл бұрын

Have a question. Everytime when the user logs in, sanctum will generate new baerer token and then you are adding it in cookie so it can be used in further actions, until the user logs out ? Did I understand it correct ?

@madie2659 Жыл бұрын

wow, you explain very good, please create a video on laravel relationships

@cdruc Жыл бұрын

sadly i’m not working too much with Laravel these days 😩 look up laracasts - im sure they have something like this for free / on their YT channel 🤞

@allaboutnaturesound6033 Жыл бұрын

save my day

@ibilalkhilji Жыл бұрын

Which font you are using in the IDE?

@siyabdev 5 ай бұрын

I i set up Cookie based authentication in Laravel/Nuxt/Sanctum and in future, i build a mobile app for my API, the flow of CSRF would remain the same or would it change?

@azizmahon7013 Жыл бұрын

you saved my life

@cdruc Жыл бұрын

Lol 😂😂 glad u find it helpful 👊

@MrAbdooo2008 Жыл бұрын

great

@darkmode404 Жыл бұрын

Thanks!

@madtin Жыл бұрын

How would you check if there's a valid session in the front end? laravel is always settings the session cookie even if logged out...

@bulentguven4662 Жыл бұрын

Hi, I wonder that to I have to clear top level domain cookies every time user logout? For the first time, it is okey that my sanctum api block unregistered user access to the specific url. However, after logging in and logging out again, that's when the problems occur. After logging out, sanctum doesn't block the request and send the success response.

@youssefelgharib7092 Жыл бұрын

Thank you very much mr.Constantin Druc for your helpful videos. I've a question for you: What do you think is more practical inertia or api and why? We saw that inertia handles the most annoying things such as CSRF validation, error handling and routing and so on ...

@nadjinmalade8738 Жыл бұрын

Since Inertia came, I only use Inertia.

@cdruc Жыл бұрын

As always, it depends on your purpose and what you want to achieve. Mobile app in the plans? LaravelAPI + Vue3. No mobile app + control over the tech stack? InertiaJS. Looking to increase hiring chances? LaravelAPI + Vue3. If your aim is speed of development & !mobile, Inertia all the way!

@jervi_sir Жыл бұрын

great video, is it same case with reactNative.

@ajndlajjnl4175 10 ай бұрын

hello sir why dont u use laravel fortify for backend, or develop with inertia for fullstackapp

@michaeljosephgelvez8519 4 ай бұрын

May i know what os you are using?

@imtiazakidarmawan602 4 ай бұрын

I tried the same but there is no cookie and session on both the backend and frontend. Any solution ?. Thanks

@7ala9at Жыл бұрын

thank you, how to check user status , is logged or not

@firassebai8592 Жыл бұрын

can i start with laravel ui and implement sanctum for spa ?

@clebermartins3228 11 ай бұрын

Great!!!!!!

@user-cp4oy2bs9v 3 ай бұрын

i got 401 unauthorized but with nuxtjs, i used the loginWith for login and have properly configured but still got that 401 error. Do u have any solution please

@nabeelyousafpasha Жыл бұрын

Respect from Pakistan

@allaghi Жыл бұрын

I am working on new project using jetstream with inertia, and planning to connect it with mobile app, I am thinking of using passport, we need you advice.

@banalexandru4393 Жыл бұрын

In angular I reapted the exact same steps, but the XSRF-TOKEN cookie is not being set in the browser cookies storage, neither the other API cookies. I can't seem to find an answer for this anywhere

@lyricsremix7884 Жыл бұрын

the user gets logged out on brouser page refresh im using laravel api + react js any soltion ?

@mibrahim4245 8 ай бұрын

thank you for the very clear video ! .. excuse me for the dumb questiion, but if I want to protect a route with the authentication .. should I set it to ->middleware('auth:sanctum') or ->middleware('auth:api') ? the second thing, is at login controller; when I want to return the access_token in a cookie, should I return it like this: return response()->json(whatever)->withCookie(cookie("access_token", $token, 60) for example? or is there a setting that will make the token be returned in a cookie out of the box ?

@cdruc 8 ай бұрын

Hey, you should be using the "auth:sanctum" middleware. For the second thing, I don't know why you would want to return an access_token as a cookie - sounds like you're mixing token based authentication with session based authentication. Maybe these two videos are helpful: - kzbin.info/www/bejne/hIqcqqKnpLNqaNk - kzbin.info/www/bejne/fn2zoH6wbs9sgbs

@mibrahim4245 8 ай бұрын

@@cdruc thank you for ur response, yea I think that too ;P .. I'll check out those vids .. thanks

@bencumb7324 7 ай бұрын

Thankssss

@alimosbah Жыл бұрын

Can you explain to deploy laravel vite inertia ssr

@adamshaibu3911 6 ай бұрын

@cdruc i install sanctum without breeze. Both domains have the same session and xsrf token, yet 401

@cdruc 6 ай бұрын

check sanctum stateful domains list

@user-ul9vj8zd7m 8 ай бұрын

cool bro

@kristiyan.zhelyazkov Жыл бұрын

I have one question. How did you run your spa under spa.example.test? For the laravel project I think you use valet but for the vue project?

@cdruc Жыл бұрын

I use a build-watch command for vue and a custom valet driver. Might write a blogpost / make a video on this at some point

@cdruc Жыл бұрын

✍️ Wrote a blogpost: cdruc.com/valet-vue

@rhenaldkarrel Жыл бұрын

What if I want to perform a create action where there's a middleware of auth:api? How to pass the token to the axios authorization? Thank you for the video by the way!

@JustAnonymous1 4 ай бұрын

the same qst did you get it ? i try to passed the toekn in the session and get them before make the req but i don't if it's good solution or not!

@MuhammadYusuf-tr3xe Жыл бұрын

Thanks for this wonderful video, however in my case, I set up the STATEFUL_DOMAINS correctly in my env yet I still have a 419 error

@joemarpalting1469 8 ай бұрын

any solution?

@bernanribeiro3329 Жыл бұрын

When you install breeze it came to everything setup, but is amazing understand on how it work. But actually I came here because I still getting problem regarding this. My login and register is working perfectly, but when I update the user data I am getting this CORS errors : "'Access-Control-Allow-Origin' header is present on the requested resource." Do have any idea why?

@giorgishalamberidze8204 11 ай бұрын

samee problem

@habeebmurtala7318 Жыл бұрын

Hi, thank you for this video. can I authenticate from a mobile app after configuring for spa?

@cdruc Жыл бұрын

Yes, watch this video: tallpad.com/series/laravel-misc/lessons/authenticate-mobile-applications-with-laravel-sanctum You don't have to follow all the steps there, though; since you've already configured for spa.

@coder236 9 ай бұрын

i know you said that the request must sit on the same domains, but can't you allow separate domains in the cors? so say i'm using laravel Herd, i have a domain of 'my_domain.test' but my react frontend is sitting on localhost:5173... if i put localhost:5173 into cors settings, can i not send requests?

@cdruc 9 ай бұрын

cors has nothing to do with this. the problem are cookies - they cannot be shared across different domains. watch this: kzbin.info/www/bejne/nXymaKysodGmhqc

@coder236 9 ай бұрын

@@cdruc ah awesome thanks for this

@nlveej Жыл бұрын

how did you made your frontend url to be domain instead of localhost:port?

@cdruc Жыл бұрын

I use laravel valet. it does that automatically

@rafaelacioly3252 7 ай бұрын

Mine keep returning 303 followed by a 200, any idea how to fix it?

@cdruc 6 ай бұрын

this is a weird one. Never got a 303 response - can you put up a reproduceable repo(s)? I'm always down to help if enough details are provided

@AlexGower Жыл бұрын

Do you have to set the session in the .env if you setup the sanctum stateful in .env?

@cdruc Жыл бұрын

Yes, you need to set both.

@AlexGower Жыл бұрын

@@cdruc why do you think the default .env file when install breeze api doesn't include SESSION_DOMAIN and SANCTUM_STATEFUL_DOMAINS? It seems like this should be a default?

@catalina3873 Жыл бұрын

谢谢🙏 I hate the cros 😢😅

@bahacherni8776 5 ай бұрын

could you please explain it throw pinia state management

@cdruc 5 ай бұрын

i have a couple of videos on this, look through the chanel

@holakonoob Жыл бұрын

pls what is the font your using in ide and in the terminal

@cdruc Жыл бұрын

I think this was Operator Mono (not sure, though) Now I'm using SF Mono

@ricknatanielwalker9669 10 ай бұрын

Hi, your tutorial helped me very much, mainly The article you wrote, is so clear. Congrats. Well, not everything is as easier as ti looks. Well, the truth is I am getting a CORS error: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. I set everything up and one and only thing that is different is that I have a standard Laravel application installation. So, in this installation, the 'paths' variable in the cors.php config file remains 'paths' => ['api/*', 'sanctum/csrf-cookie']. When I accept all incoming requests ('paths' => ['*', 'sanctum/csrf-cookie']), I don't get any CORS error. I wouldn't like to mess with this because I don't know what will be the consequences, but I would appreciate help in this situation. What should I do to pass

@cdruc 10 ай бұрын

Hey! Glad the video somewhat helped you move the ball further. Would've been great to have specified the request causing the CORS error but I'll guess it's the /login endpoint 😃 Now, CORS is a security feature that allows you to control what requests the application should accept, and more importantly, from where (who is allowed to talk to my app). The paths array is a list of endpoints that accept cross-origin requests (requests that don't originate/come from your application domain). Since the /login endpoint is not part of the paths array, it does not accept cross-origin requests, hence you get the CORS error. Same will be true for other endpoints that are not there - for example, /register. But what is even more important, is *who* is allowed to talk to your application. I'm referring to the allowed_origins setting. This should be a list of origins that are allowed to make requests to your laravel application - usually just your frontend app. I already made a couple of YT videos on this topic and I know sometimes things are not super clear or easy to follow - it's just hard to fit everything in a couple of videos. That's why I'm working on: masteringauth.com Let me know how it goes, and if you stumble upon other issues, please send an e-mail at druc@pinsmile.com . I plan on having a "common issues" section in my course that explains and helps people fix their auth issues. Just make sure to include repository links and the .env file so I can to reproduce the issue(s).

@ricknatanielwalker9669 10 ай бұрын

@@cdruc I figured out that I had to include the endpoints that I want to hit in my path from the frontend. The confusion I was making is that in the official Laravel documentation site they say just for configuring sanctum to authenticate the SPA I would be able to hit endpoint from web.php. I'm excited about the course you're making and I was here thinking if I could give you a hand on it. Well, if it is in my domains