laravel-sign-in-with-apple icon indicating copy to clipboard operation
laravel-sign-in-with-apple copied to clipboard

Published 20 hours ago verified publisher icon mikebronner

CSRF Token Mismatch

Open another-novelty opened this issue 4 years ago • 6 comments

Hi!

When the callback returns from the apple servers I get a 419 error from Laravel. Disabling the VerifyCsrfToken middleware fixes this but is obviously not a fix.

Laravel framework version: v8.13.0 laravel-sign-in-with-apple version: 0.5.0 socialite version: 5.1.0

My naive guess is that this is actually a laravel, apple or configuration issue as the request somehow returns with a POST instead of a GET with the state token in the request instead of the header.

another-novelty avatar Dec 03 '20 15:12 another-novelty

The same issue

yaroslavolekh avatar Dec 19 '20 03:12 yaroslavolekh

It sounds like you need to exclude your webhooks from being checked for CSRF tokens, but I have never had this issue. Please provide a working example repo that demonstrates this issue, if you would like me to look into this. At this point I have nothing to go on.

mikebronner avatar Dec 19 '20 14:12 mikebronner

Well, Apple sends back a POST request without the CSRF Token Laravel is expecting.

I personally added the CSRF as a nonce parameter which is sent back by Apple and check it manually.

In VerifyCsrfToken.php the Apple redirect URI needs to be excluded.

protected $except = [
        'handle/apple/callback',
    ];

What I have not figured out yet is how to define handle/apple/callback in the .env instead of hardcoding it

mirko77 avatar Mar 12 '21 15:03 mirko77

The same issue

gustafsilva avatar May 12 '21 02:05 gustafsilva

@mirko77 @gustafsilva Could either of you provide an example test repo that demonstrates this issue?

mikebronner avatar May 12 '21 16:05 mikebronner