I’ve recently updated to the latest laravel, and while doing that and other development, have somehow broken my Google SSO integration.
I’m not using Socialite but it’s a similar functionality. On my web.php routes, I have:
Route::post('/auth/google/callback', [LoginController::class, 'handleGoogleCallback']);
This is not within auth middleware.
That sends me to my LoginController, where I have:
public function handleGoogleCallback(Request $request) {
// Get $id_token via HTTPS POST.
$validatedRequest = $request->validate([
'credential' => ['required', 'string', 'max:3000', 'min:100'],
]);
...
The construct on this controller is typical, and if I comment out the middleware I still has the problem:
public function __construct()
{
$this->middleware('guest')->except('logout');
}
Unfortunately, when Google now forwards the user back to this endpoint after successful credentialing, it doesn’t make it to the handleGoogleCallback function. It just errors out with the 419 | Page Expired Error.
None of my other pages have this error, and typical logging in works fine. I’ve verified typical 419 problems such as setting SESSON_SECURE_COOKIE=false, but the fact that I can log in generally means there’s something specific to this endpoint that I’ve messed up. I’ve also added the correct accessible endpoints to Google Cloud console, though it probably wouldn’t have even made it back to my site if I hadn’t.
So I’m at a loss now. Any thoughts on where the problem could lie, or how I could go about troubleshooting? Thanks.
>Solution :
The VerifyCsrfToken middleware that is assigned to the web group of middleware will return a 419 response on a failed CSRF token match (in this case no CSRF token at all).
You can add an exemption for the path of this POST route so that middleware will not attempt to check for a CSRF token:
protected $except = [
'auth/google/callback',
];
Laravel 10.x Docs – CSRF Protection – Preventing CSRF Requests – Excluding URIs