Skip to content

Feature to treat same domain requests to be from frontend and make stateful #564

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 7 commits into from
Apr 22, 2025
Merged

Feature to treat same domain requests to be from frontend and make stateful #564

merged 7 commits into from
Apr 22, 2025

Conversation

denjaland
Copy link
Contributor

@denjaland denjaland commented Apr 16, 2025
edited
Loading

Our application is running under multiple domain names (multi tenant), each domain name hosting an SPA which communicates to the API endpoints under their own domain name as well.

In order to make sure that Sanctum recognizes these incoming requests as coming from the frontend, today we can only add them to the configuration file, which is cached, and which makes it cumbersome when we want to have that automatcally updated when a user adds a new domain name.

So we were looking into how we could resolve this by overriding the default behaviour of the middleware fromFrontend() method to dynamically check against the tenant host names in our database, but while doing so we actually came to the conclusion that in fact any call that is from the same domain (the referer / origin matches the request host), should be considered as being from the SPA frontend and therefore be made stateful.

Personally, I don't really see a case where this logic would not be applicable, and maybe this could be included into the standard behaviour, but as I'm sure this was thought through when implemented initially, I probably overlook a reason as to why you might not want this behaviour, so I made this PR backwards compatible, by adding a config parameter to enable this behaviour, so it remains disabled by default, and this can be released in a minor.

@denjaland denjaland changed the title Introducing the ability to dynamically include the request http host … Feature to treat same domain requests to be from frontend and make stateful Apr 17, 2025
@taylorotwell
Copy link
Member

@denjaland I wonder if we could have a Sanctum::currentRequestHost() method that you can add to the stateful config array... that method would return some placeholder string like CURRENT_REQUEST_HOST which we then find and replace dynamically. Does that make sense? I think that would be cleaner than a new config option.

@taylorotwell taylorotwell marked this pull request as draft April 18, 2025 14:54
@denjaland
Copy link
Contributor Author

@taylorotwell, yes that does make sense, and that was actually my first approach as well. At some point however, I didn't go forward with it because configuration is cached, and I can't include the dynamic host into the stateful list.
I revisited the code, and now I'm using a fixed token I'm replacing at runtime in the fromFrontend() check.

I'm not sure whether you have a standard pattern to use such fixed tokens, so please let me know if you prefer this differently.

@denjaland denjaland marked this pull request as ready for review April 22, 2025 06:30
@denjaland
Copy link
Contributor Author

(I just noticed you actually proposed using a token now LOL - apparently I didn't read beyond your first sentence; I guess I had too many easter eggs ;-) )

@taylorotwell taylorotwell merged commit 4e4ced5 into laravel:4.x Apr 22, 2025
8 checks passed
denjaland added a commit to denjaland/sanctum that referenced this pull request Apr 23, 2025
@denjaland
Fix on laravel#564, making sure both Sanctum::currentApplicationUrlWi…
2d9137e 
…thPort() and Sanctum::currentRequestHost() work in a similar way by prepending the url or placeholder with a comma.
@denjaland denjaland mentioned this pull request Apr 23, 2025
Merged
taylorotwell pushed a commit that referenced this pull request Apr 23, 2025
@denjaland
Fixes inconsistency in Sanctum::currentApplicationUrlWithPort() and S…
a360a6a 
…anctum::currentRequestHost() (#565)

* Fix on #564, making sure both Sanctum::currentApplicationUrlWithPort() and Sanctum::currentRequestHost() work in a similar way by prepending the url or placeholder with a comma.

* Fixing styling issues.
@siarheipashkevich
Copy link

@denjaland please add the documentation for this

@denjaland
Copy link
Contributor Author

@denjaland please add the documentation for this

Since there is no documentation on the use of Sanctum::currentRequestHost(), I followed example and didn't create a PR for addinv it into the docs.

I noticed however thag @taylorotwell removed the little documentation I added into the config file, so I agree that maybe we should add it to the documentation.

Shall I create a PR, @taylorotwell, meanwhile documenting the currejtRequestHost helper as well?

denjaland added a commit to denjaland/laravel-docs that referenced this pull request Apr 25, 2025
@denjaland
Documents changes in laravel/sanctum#564
12b639c 
Adds documentation to the Sanctum helper functions.
@denjaland
Copy link
Contributor Author

@siarheipashkevich I went ahead and created the PR at laravel/docs#10350.

taylorotwell added a commit to laravel/docs that referenced this pull request Apr 25, 2025
@denjaland @taylorotwell
Documents changes in laravel/sanctum#564 (#10350)
da16b49 
* Documents changes in laravel/sanctum#564

Adds documentation to the Sanctum helper functions.

* Update sanctum.md

---------

Co-authored-by: Taylor Otwell <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@denjaland @taylorotwell @siarheipashkevich