CSRF token mismatch randomly occurs with auth since installing Pulse about pulse HOT 11 CLOSED

Hello, i also have the same problem.

When i have PULSE_ENABLED=true i have an error

production.ERROR: No application encryption key has been specified. {"exception":"[object] (Illuminate\\Encryption\\MissingAppKeyException(code: 0): No application encryption key has been specified.

only on login/logout process.

my config is not cached but when i cache my config, and test, the error don't appear. I add that caching config not appropriate for my application needs.

I have also run several time php artisan config:clear php artisan key:generate

Pulse Version
1.0.0-beta11

Laravel Version
10.43.0

PHP Version
8.1.13

Database Driver
postgres

from pulse.

Yes, I have laravel sanctum for API-side authentication. However, the problem only occurs when login/logout on the web.

I initially thought it was due to the csrf but when I'm logged and handling other forms using the csrf, there are no problems.

I have the impression that during login/logout, the application can't read the APP_KEY parameter of the env.

However, when the config is cached the error doesn't occur during login/logout.

from pulse.

Are you using redis for session as well and did redis server memory usage maxed out when you faced this issue?

from pulse.

I'm not using Redis for sessions, and memory usage of my Redis node has remained between 50%-60% continuously over the past 14 daya

from pulse.

@sts-ryan-holton do you know if this is only happening to users that visit the /pulse dashboard?

I'm wondering if Livewire, which is used on the dashboard, is somehow causing the token to be regenerated or something.

Have you anything custom in your application around generating / regenerating CSRF tokens?

from pulse.

Also curious about what middleware is used on the Pulse route vs. the other routes

from pulse.

This is happening on non-pulse routes. But I suspect Pulse might be causing this. For example, since I've got Laravel Fortifg and Sanctum in my project, if I try to log in via my front-end, it first makes a request to the sanctum csrf-token endpoint, but this occasionally fails and throws the mismatch error.

This has only started happening since installing Pulse, and prior to this I've had sanctum/fortify in my project for the past 2 years no problem.

I don't do anything custom with my tokens.

from pulse.

Just jumping back in here, I've had several reports from customers within my platform since creating this issue. I've just experienced the CSRF token mismatch error again just now, here's something interesting:

1. Add PULSE_ENABLED=false to .env
2. Run php artisan config:clear
3. Log in is successful

However...

Without setting PULSE_ENABLED=false, strangely it works if I clear my browser cache - not ideal for users. There's certainly something with Pulse affecting the auth/sanctum in some way.

from pulse.

@waazibf are you also using Laravel Sanctum? This seems like it may be a different issue as you error is related to encryption and not CSRF expiration?

from pulse.

I'm struggling to work out what could be causing this one. If either of you could create a reproduction repository, that would be much appreciated.

I'm also wondering if maybe Pulse is silently discarding an exception of something under the hood that might shed some more information on the problem.

Could you both add some Pulse exception logging and see if that gives you any further insights: https://laravel.com/docs/11.x/pulse#pulse-exceptions

from pulse.

Unfortunately I'm not able to replicate this one. We are happy to dive into it, but will need some more information on the potential cause if anyone it able to do any debugging on the issue.

Ping the thread if you have any insights and we can always reopen the issue.

from pulse.