Laravel has recently launched a new authentication gate called Sanctum. In this post, I'll show you how to set up Paw so that it plays nicely with Sanctum's SPA Authentication, which uses Laravel's built-in session authentication.
To make sure we're on the same page, here's my setup:
- Fresh Laravel 7.x installation, with Sanctum enabled (I'm using only the SPA mode).
- Paw (v3) with the following extension installed: Laravel CSRF Token Dynamic Value
If you're set too, let's go.
Let's do this
Step 1. Get the CSRF cookie
In Paw, add a new request that calls
GET /sanctum/csrf-cookie You can name this request "Get Sanctum CSRF cookie."
Step 2. The login endpoint
Let's create another request that'll call
POST /login (or the login endpoint of yours). Configure the request like
Don't forget to set up the values for email/password accordingly.
If everything goes right, you'll get back an user object, and a bunch of cookies that sign you in.
Step 3. Don't forget to set the referer
All is good until this point. But don't forget to set the "Referer" header when calling a protected endpoint, because
otheriwse you'll get
Let's see an example:
baseUrl here points at the Laravel application. The path does not seem to matter, only the domain must match.
If something goes wrong?
You can take a look at Paw's documentation. In most cases, resetting the session (deleting all the cookies) works fine.