laravel-echo-server icon indicating copy to clipboard operation
laravel-echo-server copied to clipboard

Published 20 hours ago verified publisher icon tlaverdure

Sanctum SPA Authentication (CSRF protection) got HTTP status 401

Open anwarx4u opened this issue 4 years ago • 6 comments

Describe the bug Hi all, I am using the Sanctum SPA Authentication (CSRF protection) system for my application Authentication. It is working well. But I am unable to authenticate broadcasting.

The following process is being used:

Middleware : Broadcast::routes(['middleware' => ['auth:sanctum']]);

laravel-echo-server.json


{ 
        "authHost": "https://web.test",
	"authEndpoint": "/broadcasting/auth",
	"clients": [],
	"database": "redis",
	"databaseConfig": {
		"redis": {},
		"sqlite": {
			"databasePath": "/database/laravel-echo-server.sqlite"
		}
	},
	"devMode": true,
	"host": null,
	"port": "6002",
	"protocol": "https",
	"socketio": {},
	"secureOptions": 67108864,
    "sslCertPath": "/Users/macbook/.config/valet/Certificates/web.test.crt",
    "sslKeyPath": "/Users/macbook/.config/valet/Certificates/web.test.key",
    "sslCertChainPath": "/Users/macbook/.config/valet/Certificates/web.test.csr",
	"sslPassphrase": "",
	"subscribers": {
		"http": true,
		"redis": true
	},
	"apiOriginAllow": {
		"allowCors": true,
		"allowOrigin": "",
		"allowMethods": "",
        "allowHeaders": "Origin, Content-Type, X-Auth-Token, X-Requested-With, Accept, Authorization, X-CSRF-TOKEN, X-Socket-Id"
	}
}

Bootstrap.js

import Echo from 'laravel-echo'; window.io = require('socket.io-client');

var lv_echo_port = process.env.MIX_LARAVEL_ECHO_PORT ? process.env.MIX_LARAVEL_ECHO_PORT: 6001;
window.Echo = new Echo({
    broadcaster: "socket.io",
    host: window.location.hostname + ":"+ lv_echo_port,
    withCredentials: true,
    auth: {
        headers: {
            'Referer': window.location.hostname
        }
    },
});

Error laravel-echo-server start

I am getting the following errors where I run the above command

image

Am I doing something wrong? Please suggest me regarding this..

Thanks in advance.

Anwar

anwarx4u avatar Nov 18 '20 14:11 anwarx4u

Hi, try Broadcast::routes(['middleware' => ['web']]);. Don't know why, but it helps for me.

HalfBottleOfMind avatar Nov 18 '20 14:11 HalfBottleOfMind

@HalfBottleOfMind

Yea, I knew it will work!
Actually, "web" middleware does not check users' authentication. It works only on the public channel. that's why there have no 401/403 errors! But I have some broadcasting channel which is required authentication and authorization.

So, I need an authentication middleware which already mentioned at Laravel docx

anwarx4u avatar Nov 18 '20 15:11 anwarx4u

@tlaverdure @taylorotwell

Can you help me regarding this, please

anwarx4u avatar Nov 19 '20 06:11 anwarx4u

bump

Ken-vdE avatar Jul 22 '21 11:07 Ken-vdE

Try: Broadcast::routes(['middleware' => ['api', 'auth:sanctum']]);

martio avatar Oct 05 '21 12:10 martio

I have the same issue, have you got it working?

Edit: I moved my Broadcast::routes(['middleware' => ['auth:sanctum']]); to api.php instead ofthe BroadcastServiceProvider and it all works now.

Naghal avatar Oct 06 '23 12:10 Naghal