Feature to treat same domain requests to be from frontend and make stateful (#564)

denjaland · taylorotwell · web-flow · commit 4e4ced5023e9 · 2025-04-22T08:53:47.000-05:00
* Introducing the ability to dynamically include the request http host as a domain to be included in the stateful domain list.

* fixying styling issues

* fixying styling issues

* Refactoring to introduce a fixed token for Sanctum::currentRequestHost

* Fixing styling issue

* Update sanctum.php

* Update Sanctum.php

---------

Co-authored-by: Taylor Otwell &lt;taylor@laravel.com&gt;
diff --git a/config/sanctum.php b/config/sanctum.php
@@ -18,7 +18,8 @@
     'stateful' => explode(',', env('SANCTUM_STATEFUL_DOMAINS', sprintf(
         '%s%s',
         'localhost,localhost:3000,127.0.0.1,127.0.0.1:8000,::1',
-        Sanctum::currentApplicationUrlWithPort()
+        Sanctum::currentApplicationUrlWithPort(),
+        // Sanctum::currentRequestHost(),
     ))),
 
     /*
diff --git a/src/Http/Middleware/EnsureFrontendRequestsAreStateful.php b/src/Http/Middleware/EnsureFrontendRequestsAreStateful.php
@@ -5,6 +5,7 @@
 use Illuminate\Routing\Pipeline;
 use Illuminate\Support\Collection;
 use Illuminate\Support\Str;
+use Laravel\Sanctum\Sanctum;
 
 class EnsureFrontendRequestsAreStateful
 {
@@ -83,7 +84,9 @@ public static function fromFrontend($request)
 
         $stateful = array_filter(config('sanctum.stateful', []));
 
-        return Str::is(Collection::make($stateful)->map(function ($uri) {
+        return Str::is(Collection::make($stateful)->map(function ($uri) use ($request) {
+            $uri = $uri === Sanctum::currentRequestHost() ? $request->getHttpHost() : $uri;
+
             return trim($uri).'/*';
         })->all(), $domain);
     }
diff --git a/src/Sanctum.php b/src/Sanctum.php
@@ -42,6 +42,16 @@ public static function currentApplicationUrlWithPort()
         return $appUrl ? ','.parse_url($appUrl, PHP_URL_HOST).(parse_url($appUrl, PHP_URL_PORT) ? ':'.parse_url($appUrl, PHP_URL_PORT) : '') : '';
     }
 
+    /**
+     * Get a fixed token instructing Sanctum to include the current request host in the list of stateful domains.
+     *
+     * @return string
+     */
+    public static function currentRequestHost()
+    {
+        return '__SANCTUM_CURRENT_REQUEST_HOST__';
+    }
+
     /**
      * Set the current user for the application with the given abilities.
      *
diff --git a/tests/Feature/EnsureFrontendRequestsAreStatefulTest.php b/tests/Feature/EnsureFrontendRequestsAreStatefulTest.php
@@ -4,6 +4,7 @@
 
 use Illuminate\Http\Request;
 use Laravel\Sanctum\Http\Middleware\EnsureFrontendRequestsAreStateful;
+use Laravel\Sanctum\Sanctum;
 use Orchestra\Testbench\Concerns\WithWorkbench;
 use Orchestra\Testbench\TestCase;
 
@@ -59,6 +60,18 @@ public function test_request_origin_fallback()
         $this->assertTrue(EnsureFrontendRequestsAreStateful::fromFrontend($request));
     }
 
+    public function test_same_domain_stateful()
+    {
+        $request = Request::create('https://app-domain.com/');
+        $request->headers->set('origin', 'app-domain.com');
+
+        config(['sanctum.stateful' => []]);
+        $this->assertFalse(EnsureFrontendRequestsAreStateful::fromFrontend($request));
+
+        config(['sanctum.stateful' => [Sanctum::currentRequestHost()]]);
+        $this->assertTrue(EnsureFrontendRequestsAreStateful::fromFrontend($request));
+    }
+
     public function test_wildcard_matching()
     {
         $request = Request::create('/');
