Skip to content

Feature to treat same domain requests to be from frontend and make stateful#564

Merged
taylorotwell merged 7 commits intolaravel:4.xfrom
denjaland:4.x
Apr 22, 2025
Merged

Feature to treat same domain requests to be from frontend and make stateful#564
taylorotwell merged 7 commits intolaravel:4.xfrom
denjaland:4.x

Conversation

@denjaland
Copy link
Contributor

@denjaland denjaland commented Apr 16, 2025
edited
Loading

Our application is running under multiple domain names (multi tenant), each domain name hosting an SPA which communicates to the API endpoints under their own domain name as well.

In order to make sure that Sanctum recognizes these incoming requests as coming from the frontend, today we can only add them to the configuration file, which is cached, and which makes it cumbersome when we want to have that automatcally updated when a user adds a new domain name.

So we were looking into how we could resolve this by overriding the default behaviour of the middleware fromFrontend() method to dynamically check against the tenant host names in our database, but while doing so we actually came to the conclusion that in fact any call that is from the same domain (the referer / origin matches the request host), should be considered as being from the SPA frontend and therefore be made stateful.

Personally, I don't really see a case where this logic would not be applicable, and maybe this could be included into the standard behaviour, but as I'm sure this was thought through when implemented initially, I probably overlook a reason as to why you might not want this behaviour, so I made this PR backwards compatible, by adding a config parameter to enable this behaviour, so it remains disabled by default, and this can be released in a minor.

@denjaland denjaland changed the title Introducing the ability to dynamically include the request http host … Feature to treat same domain requests to be from frontend and make stateful Apr 17, 2025
@taylorotwell
Copy link
Member

taylorotwell commented Apr 18, 2025

@denjaland I wonder if we could have a Sanctum::currentRequestHost() method that you can add to the stateful config array... that method would return some placeholder string like CURRENT_REQUEST_HOST which we then find and replace dynamically. Does that make sense? I think that would be cleaner than a new config option.

@taylorotwell taylorotwell marked this pull request as draft April 18, 2025 14:54
@denjaland
Copy link
Contributor Author

denjaland commented Apr 22, 2025

@taylorotwell, yes that does make sense, and that was actually my first approach as well. At some point however, I didn't go forward with it because configuration is cached, and I can't include the dynamic host into the stateful list.
I revisited the code, and now I'm using a fixed token I'm replacing at runtime in the fromFrontend() check.

I'm not sure whether you have a standard pattern to use such fixed tokens, so please let me know if you prefer this differently.

@denjaland denjaland marked this pull request as ready for review April 22, 2025 06:30
@denjaland
Copy link
Contributor Author

denjaland commented Apr 22, 2025

(I just noticed you actually proposed using a token now LOL - apparently I didn't read beyond your first sentence; I guess I had too many easter eggs ;-) )

@taylorotwell taylorotwell merged commit 4e4ced5 into laravel:4.x Apr 22, 2025
8 checks passed
@denjaland denjaland mentioned this pull request Apr 23, 2025
Merged
taylorotwell pushed a commit that referenced this pull request Apr 23, 2025
@denjaland
Fixes inconsistency in Sanctum::currentApplicationUrlWithPort() and S…
a360a6a 
…anctum::currentRequestHost() (#565)

* Fix on #564, making sure both Sanctum::currentApplicationUrlWithPort() and Sanctum::currentRequestHost() work in a similar way by prepending the url or placeholder with a comma.

* Fixing styling issues.
@siarheipashkevich
Copy link

siarheipashkevich commented Apr 24, 2025

@denjaland please add the documentation for this

@denjaland
Copy link
Contributor Author

denjaland commented Apr 25, 2025

@denjaland please add the documentation for this

Since there is no documentation on the use of Sanctum::currentRequestHost(), I followed example and didn't create a PR for addinv it into the docs.

I noticed however thag @taylorotwell removed the little documentation I added into the config file, so I agree that maybe we should add it to the documentation.

Shall I create a PR, @taylorotwell, meanwhile documenting the currejtRequestHost helper as well?

@denjaland
Copy link
Contributor Author

denjaland commented Apr 25, 2025

@siarheipashkevich I went ahead and created the PR at laravel/docs#10350.

taylorotwell added a commit to laravel/docs that referenced this pull request Apr 25, 2025
@denjaland @taylorotwell
Documents changes in laravel/sanctum#564 (#10350)
da16b49 
* Documents changes in laravel/sanctum#564

Adds documentation to the Sanctum helper functions.

* Update sanctum.md

---------

Co-authored-by: Taylor Otwell <taylor@laravel.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@denjaland @taylorotwell @siarheipashkevich