Sanctum 和 Postman 的 SPA 身份验证问题 [英] SPA Authentication Issues with Sanctum and Postman
问题描述
我目前正在尝试使用 Laravel 8.19.0 和 Postman 7.36.1 测试 SPA,但我不断收到未经身份验证"的消息.来自受auth:sanctum"保护的路由的响应,即使我已正确登录.
I'm currently trying to test an SPA using Laravel 8.19.0 and Postman 7.36.1 but I keep getting an "Unauthenticated" response from a route that's guarded by "auth:sanctum", even though I have logged in correctly.
据我所知,我完全遵循了 https://laravel.com/docs/8.x/sanctum为了将 Sanctum 设置为用于 SPA,我做了以下工作:
As far as I can understand, I've followed the documentation fully at https://laravel.com/docs/8.x/sanctum in order to set Sanctum up to be used for SPA so I've done the following:
- 安装了 Sanctum.
- 发布了 Sanctum 配置.
- 执行了迁移.
- 在 Http 内核中包含了 ensureFrontendRequestsAreStateful 中间件和
EnsureFrontendRequestsAreStateful::class". - 将我的本地域(相同的顶级域,但 1 个带有测试"子域,另一个带有api")添加到有状态域"中Sanctum 配置文件中的选项.
- 设置supports_credentials";cors 配置中的选项为true".
- 设置我的顶级域,前缀为.";用于域"会话配置中的选项.
然后,我使用 https 上的指南设置了 Postman://blog.codecourse.com/laravel-sanctum-airlock-with-postman/所以我编写了一个脚本来从/sanctum/csrf-cookie"获取 CSRF 令牌;然后使用所述令牌作为X-XSRF-TOKEN"的值;在请求标头中,我可以成功登录.但是,当我之后尝试访问由auth:sanctum"保护的路由时,守卫,即使在请求标头中设置了引用和X-XSRF-TOKEN",我也无法访问该路由.
Then, I've set Postman up using the guide at https://blog.codecourse.com/laravel-sanctum-airlock-with-postman/ so I've written a script to get the CSRF token from "/sanctum/csrf-cookie" then used said token as the value for the "X-XSRF-TOKEN" in the request header and I can succesfully log in. however, when I try to access a route afterwards that's guarded by the "auth:sanctum" guard, even with the referrer and 'X-XSRF-TOKEN' being set up in the request header I cannot access the route.
调试后,我可以看到 $this->auth->guard($guard)->check() 在 authenticate($request,数组 $guards) 方法 where $guard = "sanctum" 在 \vendor\laravel\framework\src\Illuminate\Auth\Middleware\Authenticate.php在第 63 行,因为 $this->user() 对于 Illuminate\Auth\RequestGuard 实例为 null.
After debugging, I can see that $this->auth->guard($guard)->check() is returning false in the authenticate($request, array $guards) method where $guard = "sanctum" in \vendor\laravel\framework\src\Illuminate\Auth\Middleware\Authenticate.php on line 63 because $this->user() is null for the Illuminate\Auth\RequestGuard instance.
对于要检查的事情的任何帮助甚至想法都将不胜感激,因为我不确定从这里开始做什么,没有花一天时间深入研究请求保护对象及其实例!
Any help or even ideas on things to check would be greatly appreciated as I'm unsure on what to do from here, short of spending a day digging deeper into the request guard object and its instantiation!
谢谢.
推荐答案
问题已经解决,是 Postman 只保存了XSRF-TOKEN"造成的.和laravel_session"测试"cookies登录后的子域(登录 URL 使用此子域),因此不会将它们传递给api".当尝试访问受auth:sanctum"保护的路由时,您可以访问子域.通过将相同的 cookie 添加到api"子域通过管理 Cookie"Postman 中的菜单,现在可以按预期访问该路线.
Issue has since been resolved and was caused by Postman only saving the "XSRF-TOKEN" and "laravel_session" cookies to the "test" subdomain after logging in (the login URL used this sub domain) and thus not passing them to the "api" subdomain when trying to access the route which was protected by "auth:sanctum". By adding the same cookies to the "api" subdomain via the "Manage Cookies" menu in Postman, the route can now be accessed as intended.
这篇关于Sanctum 和 Postman 的 SPA 身份验证问题的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
