Getting CSRF token mismatch on all post calls #229

thecyrilcril · 2023-09-21T03:14:54Z

thecyrilcril
Sep 21, 2023

I am getting "CSRF token mismatch" on all POST calls make via the documentation page

bikash-kodiary · 2023-09-21T06:40:04Z

bikash-kodiary
Sep 21, 2023

Comment out \Laravel\Sanctum\Http\Middleware\EnsureFrontendRequestsAreStateful::class on Kernel.php file, if you are using scantum.

0 replies

rabol · 2023-09-25T05:32:27Z

rabol
Sep 25, 2023

this is just a 'hack'
It would be nice with a real solution

0 replies

sprklinginfo · 2023-12-16T18:28:58Z

sprklinginfo
Dec 16, 2023

I hope to use it for a legacy project (Laravel 9) with auth:sanctum for all APIs. I tried on the local and got "CSRF token mismatch" error too. I agree with @rabol that comments off EnsureFrontendRequestsAreStateful::class is a hack since I am planning to push to the production and control access with viewApiDocs gate. Are there any other solutions ? Thanks.

0 replies

layerok · 2024-03-13T01:58:06Z

layerok
Mar 13, 2024

I've already done a pull request #336 to fix this problem. You can check how I've solved this problem.

0 replies

eznix86 · 2024-04-15T05:58:19Z

eznix86
Apr 15, 2024

It is not in a release yet:

Do this to fetch the latest as of the time I write this:

composer require "dedoc/scramble:dev-main#d1d8e26dee3e9e408351b856c645d0af3bd454af" -W

0 replies

nerisonpitogo · 2024-09-08T10:22:43Z

nerisonpitogo
Sep 8, 2024

spent 2 days figuring this out and the solution that worked for me was adding the following in the env file.

SANCTUM_STATEFUL_DOMAINS=localhost

0 replies

daniel-hampton · 2024-09-19T14:25:35Z

daniel-hampton
Sep 19, 2024

I'm running into this problem as well.

In my case it's specifically with Try It on routes that need Bearer tokens and the fact I have $middleware->statefulApi() enabled in bootstrap/app.php

I would like to keep stateful APIs because our front end does call the JSON APIs currently. But I'm currently disabling Try It on the documentation pages.

Is there a way to host the docs on a subdomain so Sanctum doesn't try to use CSRF checks?

Alternatively, is there a way to disable CSRF checks not on an API route, but based on requests coming from the /docs/api path?

4 replies

daniel-hampton Sep 19, 2024

For what it's worth, putting the docs on a subdomain or different domain does seem to work.

I had to add this to my AppServiceProvider and publish the cors config and allow credentials.

Scramble::registerUiRoute('/docs/api')
    ->domain('docs.example.com');
Scramble::registerJsonSpecificationRoute('/docs/api.json')
    ->domain('docs.example.com');

romalytvynenko Sep 22, 2024
Maintainer

@daniel-hampton can you please try Scramble 0.11.15?

daniel-hampton Oct 28, 2024

Sorry for the very delayed response. I'll try to check it out shortly. 😅

romalytvynenko Oct 28, 2024
Maintainer

@daniel-hampton awesome 🤩

stoykovnet · 2024-12-23T15:49:45Z

stoykovnet
Dec 23, 2024

Hi,

It works for me now.

My setup is also Stateful API using Sanctum.

I have updated to Scramble v0.11.31.

Thank you very much for support this case 🙏

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Getting CSRF token mismatch on all post calls #229

{{title}}

Replies: 8 comments 4 replies

{{title}}

{{title}}

{{title}}

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

Select a reply

Getting CSRF token mismatch on all post calls #229

Replies: 8 comments · 4 replies

romalytvynenko Sep 22, 2024 Maintainer

romalytvynenko Oct 28, 2024 Maintainer

Replies: 8 comments 4 replies

romalytvynenko Sep 22, 2024
Maintainer

romalytvynenko Oct 28, 2024
Maintainer