I have a laravel function for login which creates a sanctum token once successful:
public function attempt(Request $request)
{
$validated = $request->validate([
'email' => ['required', 'email'],
'password' => 'required',
]);
if (auth()->attempt(array_merge($validated, ['status' => '1']))) {
$request->session()->regenerate();
$user = auth()->user();
$token = $user->createToken('sanctum-token')->plainTextToken;
return redirect('/horseinfo')->with('message', __('errors.success'))->cookie('api_token', $token, 60, null, null, false, true);
}
return back()->withErrors(['email' => 'invalid email.'])->onlyInput('email');
}
Security isn't really my strength. Now, I've read that the token should be stored in an HTTP-only cookie to prevent JavaScript from accessing it. How can I get the cookie containing the token securely so I can access API routes with Sanctum auth when JavaScript cannot access the cookie?
my js has separate file. is it safe to add script on a blade template?
I am using fetch API to access api routes and have no idea how to get the token.
fetchitself will send the cookie. But if your request is cross-origin, you need to setcredentialsin your request options appropriately.