After exhausting all my efforts trying to resolve this issue, I find myself stuck and frustrated. Despite including the CSRF token as suggested by various sources, the problem persists.
The route is utilizing the default 'web' middleware.
Confirmed Inclusion of CSRF Token
I have reached a point of desperation and any guidance or assistance on this matter would be greatly appreciated.
Working with the latest version of Laravel 5.7 with all components up to date
JS Script:
<script>
export default {
name: "BankIdLogin",
data() {
return {
status: '',
error: '',
message: '',
}
},
created() {
},
methods: {
initiateBankID: function (e) {
e.preventDefault();
e.stopPropagation();
axios
.post(
"/login/bankIdAuthentication", {
_token: $('meta[name="csrf-token"]').attr('content'),
ssn: $('#ssn').val()
}
)
.then(res => res.json())
.then(res => console.log(res));
},
collectBankID() {
}
}
}
</script>
Response from the call:
{
"message":"",
"exception":"Symfony\\Component\\HttpKernel\\Exception\\HttpException",
"file":"/var/www/html/vendor/laravel/framework/src/Illuminate/Foundation/Exceptions/Handler.php",
"line":204,
"trace":[...]
}
web.php
Route::post('/login/bankIdAuthentication', 'Api\LoginController@bankidAuthentication');
LoginController.php:
<?php
namespace App\Http\Controllers\Api;
use App\Http\Controllers\Controller;
use App\Models\BankidSignature;
use App\Models\User;
use Frozzare\Personnummer\Personnummer;
use ILabs\Api\BankId;
use Illuminate\Http\Request;
use Illuminate\Support\Facades\Auth;
class LoginController extends BaseController
{
public function bankidAuthentication(Request $request)
{
$ssn = Personnummer::format($request->post('ssn'), TRUE) ?? $request->post('ssn');
if ($ssn === '')
$ssn = $request->post('ssn');
if ($ssn !== '') {
$user = User::where(
[
'ssn' => $ssn,
'active' => 1,
]
);
if (!$user->count()) {
return \GuzzleHttp\json_encode(['status' => 0, 'message' => __('INVALID_SSN')]);
}
$bankid = new BankId();
try {
$bankid->bankIDAuthenticationRequest($ssn);
session(['ssn' => $ssn]);
} catch (\Exception $e) {
return \GuzzleHttp\json_encode(['status' => 0, 'message' => $e->getMessage()]);
}
}
return \GuzzleHttp\json_encode(['status' => 0, 'message' => 'Unknown Error']);
}
}
EDIT Issue resolved after disabling CSRF in the web middleware, revealing a potential CSRF-related root cause...
A discrepancy between the _token provided by the function and that stored in the session has been identified. Example:
_token from request: wiqBYqBdtMJL9JxInySSSBGtYzPGHAjePLNBILRz
_token in session: e5caPLy6N82QEQoUzixHAvojE2SortRKqxOFM3sI
EDIT 2 Further investigation indicates that Ajax calls create separate sessions, aligning with similar observations discussed here on Laracast - CSRF tokens
Despite attempting suggested solutions from the forum thread, no success has been achieved.
EDIT 3
Following a commit of changes, the issue miraculously resolves itself.