Comments (15)
Folks, CSRF protection with Inertia is REALLY simple in Laravel. Yes, you need the CSRF middleware, which is enabled by default. This middleware automatically adds a XSRF-TOKEN
cookie to your responses.
That is all you need. You don't need a CSRF meta in your header. You don't need a bootstrap.js file with this stuff. You don't need to add CSRF tokens to your forms as inputs, or to your form submissions at all.
The reason why is that Axios automatically reads the XSRF-TOKEN
value from the cookie and adds it to all Inertia (and other xhr) requests.
This is the preferred method of dealing with CSRF tokens, since it refreshes on every single request, and JavaScript always has the latest version.
I hope that helps!
from pingcrm.
For anyone else still struggling with this, if you're using Ziggy, make sure you're calling route(...).url()
and not just route(...)
.
https://github.com/inertiajs/inertia-vue/issues/39#issuecomment-494425358
Update: as of Ziggy 1.0, route()
returns a string if you pass it any arguments, so route(...)
(no .url()
) is fine now.
from pingcrm.
.url()
what i was looking for! thanks!!
from pingcrm.
@jcandan Don't think that will fix my issue. I am using Laravel Sail/Docker in my local development.
@reinink I have already removed the CSRF token from my blade master template. I also took out the code in the bootstrap.js
file (except for lodash). I am intermittently getting the 419 error when registering new users. Sometimes I can register successfully and other times I can't. I need to fix this issue because I fear that my other forms will behave in the same manner.
from pingcrm.
I am running into the same issue. To get past for out now, I am overriding the sendLoginResponse method in the LoginController to comment out the $request->session()->regenerate();
line.
public function sendLoginResponse(Request $request)
{
// $request->session()->regenerate();
$this->clearLoginAttempts($request);
return $this->authenticated($request, $this->guard()->user())
?: redirect()->intended($this->redirectPath());
}
Not sure of the other implications at this point, but at least I can login and make successful requests.
from pingcrm.
Hey, @roni-estein and @johnlowery!
Have a look at this PR on the inertia repository.
Namely, line 39-42
in src/inertia.js
as well as line 72 in that same file.
I hope this will help you on your way.
from pingcrm.
Thanks for the clarification! And thank you for producing Inertiajs.
from pingcrm.
@johnlowery My pleasure! 🙌
from pingcrm.
A nice update here. As of six days ago, Laravel has removed all the manual Axios X-CSRF-TOKEN
header stuff from bootstrap.js and is now relying solely on the above mentioned behaviour. 👌
from pingcrm.
This definitely simplified things. Thanks for the follow-up!
from pingcrm.
Getting 419 from this.$inertia.post('/delivery', this.form)
via onSubmit()
. I see the XSRF-TOKEN
cookie from browser dev tools. Not using any of the tricks mentioned. Not using Ziggy.
Only thing seems to work is to exclude /delivery
from CSRF verification in App\Http\Middleware\VerifyCsrfToken
, but this seems insecure, and I would prefer not to do this.
Inertia v0.10.1
Laravel v8.59.0
from pingcrm.
I am in the same boat as you @jcandan . Did you find another solution? I keep getting the 419 error when trying to register a user to the application. I am using Laravel Breeze... Anybody else have the 419 error when using Breeze?
from pingcrm.
Hey folks, be sure to read this page: https://inertiajs.com/csrf-protection
In particular:
If you're using Laravel, be sure to omit the
csrf-token
meta tag from your project, as this will prevent the CSRF token from refreshing properly.
from pingcrm.
For me, it turned out to be an Apache configuration; we commented out a v-host Set-Cookie
config to fix the issue. I realize this may not be the solution for most folks, but noting it here for posterity.
from pingcrm.
A note to my future self or anyone facing a 419 error looking for potential solutions:
CSRF validation based on X-XSRF-TOKEN from Axios won't work out of the box if cookies are serialized in Laravel. Setting for serializing cookies is in App\Http\Middleware\EncryptCookies
(protected static $serialize = true;
).
I'm running an older app, and when upgrading it a few years ago to 5.6 I enabled cookie serialization as described in the upgrade docs:
https://laravel.com/docs/5.6/upgrade
Changing the setting to $serialize = false
(which is now a default value in Laravel) fixes the issue.
from pingcrm.
Related Issues (20)
- Feature request: Update project to Vue3 + Composition API HOT 6
- Feature request : Switch to Vite HOT 5
- database/database.sqlite does not exist HOT 1
- The best way to use the TextInput Component methods? HOT 1
- error compiling assets with npm run watch HOT 1
- Uncaught (in promise) SyntaxError: "undefined" is not valid JSON
- Cannot install the project HOT 1
- Are Dialogs EVER gonna be released?
- Popper: Invalid reference or popper argument provided HOT 1
- Are you planning to update to inertia V1.0? HOT 5
- Search is case sensitive HOT 3
- Feature Request : Modals Classes Prop Merge HOT 1
- Inertia shared data
- Additional scripts error HOT 1
- How to specify which database shoud a inertia::render use? HOT 2
- CSS not loaded with non https url HOT 1
- The demo app does not work. HOT 2
- icon sets from an icon library?
- How do install Inertia in laravel app starting fresh project, HOT 2
- Vite manifest not found HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from pingcrm.