6

I'm trying to implement Sanctum SPA Authentication. I'm getting the following error when trying to login (only in production):

production.ERROR: Session store not set on request. {"userId":1,"exception":"[object] (RuntimeException(code: 0): Session store not set on request. at /app/vendor/laravel/framework/src/Illuminate/Http/Request.php:483)

Followed all the steps in the documentation. First calling sanctum/csrf-cookie GET request, then my API login POST request with the session cookie attached. Thank you for any tips!

My login method in AuthController.php, where the exceptioin is happening on line 28.

enter image description here

My Http\Kernel.php file with the middleweres for the API endpoints.

enter image description here

My API endpoint in routes/api.php

enter image description here

froston
  • 1,027
  • 1
  • 12
  • 24

6 Answers6

19

Added StartSession to app/Http/Kernel.php:

protected $middleware = [
        ...
        \Illuminate\Session\Middleware\StartSession::class,
    ];

it worked for me.

Nasser Ali Karimi
  • 4,462
  • 6
  • 34
  • 77
Anton Cvetaev
  • 339
  • 2
  • 10
  • 1
    It will more helpul if you paste de code instead paste an image – Fernando Torres Oct 07 '21 at 03:11
  • indeed adding screenshot of text in answers is not good practice. Noone can copy/paste from it, search engines can't find anything in it. – Jean-François Fabre Jan 18 '22 at 07:58
  • 5
    But why? Documentation doesn't say anything about it, why would I have to do it? – Robert Jul 07 '22 at 20:26
  • @Robert, I think it is because the `StartSession::class` is originally included only in the `protected $middlewareGroups` array, but not in the `protected $middleware` array where, in my case, the /login route belongs to. However, if I add the /login route to the `Route::middleware(['auth:sanctum'])->group`, another error will be shown because the /login route is not authenticated as yet. – jgarcias Apr 05 '23 at 06:58
4

To future you, the correct way to fix the issue is:

  1. Publish Sanctum configuration

php artisan vendor:publish --provider="Laravel\Sanctum\SanctumServiceProvider"

  1. Inform your app/api middleware to utilize stateful sessions by adding EnsureFrontendRequestsAreStateful class on app/Http/Kernel.php under the correct route groups (api,web, e.t.c)
'api' => [
    \Laravel\Sanctum\Http\Middleware\EnsureFrontendRequestsAreStateful::class,
...

Following two steps are very crucial

  1. Add frontend domains/IP addresses that are allowed to utilize the Sanctum SPA sessions. This can be done either by adding SANCTUM_STATEFUL_DOMAINS key in your .env file or modifying stateful key's value in the config/sanctum.php file.
  1. For every request to the endpoints protected by sanctum middleware, it must include origin or referer header. Addittionally, include X-XSRF-TOKEN header if applicable.
Murage
  • 509
  • 3
  • 4
0

In your .env file check that APP_URL={your app base url} is correct.

Ahmed
  • 186
  • 1
  • 2
  • 10
0
'api' => [
    \App\Http\Middleware\EncryptCookies::class,
    \Laravel\Sanctum\Http\Middleware\EnsureFrontendRequestsAreStateful::class,

    \Illuminate\Session\Middleware\StartSession::class, // Add this line
],

StartSession.php is a session manager, that handle session from every API request.

AkrAm Khan
  • 99
  • 5
0

Added if (!$request->is('api/*') && $request->session()->all()) in app/Http/Middleware/Authenticate.php The request was crashing due to the authenticate middleware checking for session, hence this helped. P.S this fix for sanctum usage.

Hussein Shaikh
  • 1
  • 1
-5

The authentication routes must be in the routes/web.php file.

froston
  • 1,027
  • 1
  • 12
  • 24
  • That is not correct, using web routes just means you are using the web middlewere, you are not getting the benifits of the APIs then. – shamaseen Jan 03 '22 at 14:54
  • https://laravel.com/docs/8.x/sanctum#how-it-works For this feature, Sanctum does not use tokens of any kind. Instead, Sanctum uses Laravel's built-in cookie based session authentication services. Typically, Sanctum utilizes Laravel's web authentication guard to accomplish this. – froston Oct 17 '22 at 19:34