Laravel Sanctum Auth issue

Question

I am having an issue with a sub domain and laravel sanctum. On the sub domain I am getting unauthorised. It is working just fine locally.

I have added the domain to sanctum domain/.env. I have also setup the cors/config as per laravel documentation regarding sub domains and no luck. There is a Htpasswd on the site, could that be causing the issue? I am out of ideas :(.

Has anyone experienced this before when using htpasswd? If you need some code please feel free to ask,

EDIT*

cors config

return [

    /*
    |--------------------------------------------------------------------------
    | Cross-Origin Resource Sharing (CORS) Configuration
    |--------------------------------------------------------------------------
    |
    | Here you may configure your settings for cross-origin resource sharing
    | or "CORS". This determines what cross-origin operations may execute
    | in web browsers. You are free to adjust these settings as needed.
    |
    | To learn more: https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS
    |
    */

    'paths' => ['api/*'],

    'allowed_methods' => ['*'],

    'allowed_origins' => ['*'],

    'allowed_origins_patterns' => [],

    'allowed_headers' => ['*'],

    'exposed_headers' => [],

    'max_age' => 0,

    'supports_credentials' => true,

];

sanctum config

return [

    /*
    |--------------------------------------------------------------------------
    | Stateful Domains
    |--------------------------------------------------------------------------
    |
    | Requests from the following domains / hosts will receive stateful API
    | authentication cookies. Typically, these should include your local
    | and production domains which access your API via a frontend SPA.
    |
    */

    'stateful' => explode(',', env('SANCTUM_STATEFUL_DOMAINS', 'localhost,127.0.0.1')),

    /*
    |--------------------------------------------------------------------------
    | Expiration Minutes
    |--------------------------------------------------------------------------
    |
    | This value controls the number of minutes until an issued token will be
    | considered expired. If this value is null, personal access tokens do
    | not expire. This won't tweak the lifetime of first-party sessions.
    |
    */

    'expiration' => null,

    /*
    |--------------------------------------------------------------------------
    | Sanctum Middleware
    |--------------------------------------------------------------------------
    |
    | When authenticating your first-party SPA with Sanctum you may need to
    | customize some of the middleware Sanctum uses while processing the
    | request. You may change the middleware listed below as required.
    |
    */

    'middleware' => [
        'verify_csrf_token' => App\Http\Middleware\VerifyCsrfToken::class,
        'encrypt_cookies' => App\Http\Middleware\EncryptCookies::class,
    ],

];

.env

APP_NAME="Events"
APP_ENV=local
APP_KEY=base64:COUzIB3fLtC9H7VYX4UdQAx8I2V7Hq9BoeJNjPATwMM=
APP_DEBUG=true
APP_URL=http://events.hiddendomain.com

LOG_CHANNEL=stack

DB_CONNECTION=mysql
DB_HOST=127.0.0.1
DB_PORT=3306
DB_DATABASE=hiddenname
DB_USERNAME=hiddenuser
DB_PASSWORD=hiddenpw

BROADCAST_DRIVER=log
CACHE_DRIVER=file
QUEUE_CONNECTION=sync
SESSION_DRIVER=cookie
SESSION_LIFETIME=120
SESSION_DOMAIN='.hiddendomain.com'
SANCTUM_STATEFUL_DOMAIN="events.hiddendomain.com"

REDIS_HOST=127.0.0.1
REDIS_PASSWORD=null
REDIS_PORT=6379

MAIL_MAILER=smtp
MAIL_HOST=smtp.mailtrap.io
MAIL_PORT=2525
MAIL_USERNAME=null
MAIL_PASSWORD=null
MAIL_ENCRYPTION=null
MAIL_FROM_ADDRESS=null
MAIL_FROM_NAME="${APP_NAME}"

AWS_ACCESS_KEY_ID=
AWS_SECRET_ACCESS_KEY=
AWS_DEFAULT_REGION=us-east-1
AWS_BUCKET=

PUSHER_APP_ID=
PUSHER_APP_KEY=
PUSHER_APP_SECRET=
PUSHER_APP_CLUSTER=mt1

MIX_PUSHER_APP_KEY="${PUSHER_APP_KEY}"
MIX_PUSHER_APP_CLUSTER="${PUSHER_APP_CLUSTER}"

Iv'e add this to axios

axios.defaults.withCredentials = true;

Vue call

getEventDays() {
axios.get(`/api/event/${this.eventSlug}/${this.slugify(this.selectedAgendaType)}/get-days`)
 .then((res) => {
 // Set the days
 this.days = res.data.data;
 // set the selected day to the day id
 this.selectedDay = res.data.data[0].id;
 // get the sessions for the day(selectedDay) e.g api call
 this.getDayWithSessions();
 })
 .catch((err) => console.error(err.response || err));
},

I have removed the domain name as I can't reveal the name but the principle will be the same.

People have asked for code however there isn't much to sanctum. The site isn't a full SPA. Im just using a vue component in blade view.

UPDATE

I have since removed the htpasswd and I still have the issue. I have possible 30 different sites and everything is the same on every site and with no luck on getting it to work on a sub domain

UPDATE

I have since replicated this on my localhost by using valet and setting up a sub domain. The exact same issue occurs!

Thanks all in advance.

Answer 1

You need to allow the top domain name only, Laravel Sanctum does not need your subdomain full name as allowed stateful domain.

In your case, allowing the hiddendomain.com is enough.

SANCTUM_STATEFUL_DOMAINS=hiddendomain.com

I hope this helps.

Regards.