Laravel通过CreateFreshApiToken进行的身份验证始终返回{"message":“未验证". [英] Laravel passport auth through CreateFreshApiToken always returns {"message":"Unauthenticated."}

问题描述

我试图让我的用户登录后通过Javasscript使用我自己的API，如

I am trying to allow my users, once they are logged in, to consume my own API through Javasscript as described there https://laravel.com/docs/5.7/passport#consuming-your-api-with-javascript

我已经安装了Passport.我的网络中间件定义为

I have installed Passport. My web middleware is defined as

'web' => [
        \App\Http\Middleware\EncryptCookies::class,
        \Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse::class,
        \Illuminate\Session\Middleware\StartSession::class,
        // \Barryvdh\Cors\HandleCors::class,
        // \Illuminate\Session\Middleware\AuthenticateSession::class,
        \Illuminate\View\Middleware\ShareErrorsFromSession::class,
        \App\Http\Middleware\VerifyCsrfToken::class,
        \Illuminate\Routing\Middleware\SubstituteBindings::class,
        \App\Http\Middleware\SetLocale::class,
        \Laravel\Passport\Http\Middleware\CreateFreshApiToken::class,
    ],

我看到登录后似乎确实创建了一个"laravel_token" cookie.

I see that a "laravel_token" cookie seems indeed to be created after login.

然后我尝试将简单的get请求发送到API路由

I've then tried sending a simple get request to an API route

window.$.ajax({
    headers: {
        'Accept': 'application/json',
        'X-Requested-With': 'XMLHttpRequest',
        'X-CSRF-TOKEN': $('meta[name="csrf-token"]').attr('content')
    },
    type: 'GET',
    url: 'https://mywebsite.test/api/testApi',
    success: function (response) {
        console.log(response);
    },
    error: function (xhr) {
        console.error(xhr.responseText);
    }
});

我唯一得到的答复是

{"message":"Unauthenticated."}

我想念什么?

更新

该请求是从子域client.mywebsite.test执行的，经过调查，这似乎是问题所在.从mywebsite.test执行ajax调用时，身份验证可以很好地进行.如何为子域修复该问题?

The request is performed from a subdomain, client.mywebsite.test, and after investigation that's what seems to be the issue. Authentication works well when performing the ajax call from mywebsite.test. How can I fix that for the subdomain?

从子域请求时请求标头:

Request headers when requesting from subdomain:

OPTIONS /api/testApi HTTP/1.1
Host: mywebsite.test
Connection: keep-alive
Access-Control-Request-Method: GET
Origin: https://client.mywebsite.test
Access-Control-Request-Headers: x-csrf-token,x-requested-with
Accept: */*
Referer: https://client.mywebsite.test/home

从域请求时请求标头:

GET /api/testApi HTTP/1.1
Host: mywebsite.test
Connection: keep-alive
X-CSRF-TOKEN: fLTkaq9p62FROutzch2iE9IF864al8adFnxptbve
X-Requested-With: XMLHttpRequest
Cookie: laravel_token=[...]; XSRF-TOKEN=[...]; mywebsite_session=[...];

推荐答案

浏览后浏览和浏览.

事实证明，问题确实出在Cookie没有与CORS请求一起发送的情况下.我通过在Ajax调用中添加"withCredentials"来解决该问题:

Turns out the problem comes, indeed, from the cookies not being sent with the request for CORS. I fixed it by adding "withCredentials" to my Ajax call:

window.$.ajax({
    headers: {
        'Accept': 'application/json',
        'X-Requested-With': 'XMLHttpRequest',
        'X-CSRF-TOKEN': $('meta[name="csrf-token"]').attr('content')
    },
    xhrFields: {
       withCredentials: true
    },
    type: 'GET',
    url: 'https://mywebsite.test/api/testApi',
    success: function (response) {
        console.log(response);
    },
    error: function (xhr) {
        console.error(xhr.responseText);
    }
});

您还需要确保响应的标头指定接受凭据:

You also need to ensure the headers for your response specify that credentials are accepted:

header('Access-Control-Allow-Credentials: true');

这篇关于Laravel通过CreateFreshApiToken进行的身份验证始终返回{"message":“未验证".的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！