I have a Nuxt.js frontend application, which performs an authentication request. There is a Laravel/Sanctum application on the backend. It uses built-in cookie-based session authentication. The authentication request fails because no X-XSRF-TOKEN HTTP header is provided in the /login request. Can anybody help to clarify why the header is not created from the cookie provided by the backend?
Note: Everything works properly on my laptop. It fails only when deployed to test enveronment (GCP VM instance + Gitlab Pages).
Auth code in Nuxt.js:
this.$axios.defaults.withCredentials = true; await
this.$axios.get("/sanctum/csrf-cookie");
console.log(document.cookie);
await this.$axios.post("/login", credentials);
I can see that XSRF-TOKEN cookie is returned by server
I also debuged the axios source code and see the it tries to create X-XSRF-TOKEN header taking the XSRF token from the document.cookie. But document.cookie doesn't contain the token cookie as of that moment. Why?
I have found the reason. The session domain was incorrect. I have set .my-domain.co.uk and it works now.