So, i just started a project with vue (vite) on front part and laravel on backend part. i decided to have spa authentication with laravel sanctum but on requests that are not get request i keep getting 419 csrf token mismatch. i do send cookies in request headers. There is one thing though, when i have successful get request i see laravel_session and XSRF-TOKEN cookies being changed, but when i send post request (which of course fails) only the laravel_session cookie is changed but XSRF token remains unchanged. maybe this could be the problem. I have used sanctum spa authentication before with next.js but did not have this problem. I will provide some parts of my code to help you understand my problem better.
env
SESSION_DOMAIN=localhost SANCTUM_STATEFUL_DOMAINS=localhost:5173
bootstrap.js
import axios from 'axios';
window.axios = axios;
const csrfToken = document.head.querySelector('meta[name="csrf-token"]').content;
axios.defaults.withCredentials = true;
window.axios.defaults.headers.common['X-Requested-With'] = 'XMLHttpRequest';
window.axios.defaults.headers['X-CSRF-TOKEN'] = csrfToken;
HTTP Kernel.php
protected $middlewareGroups = [
'web' => [
\App\Http\Middleware\EncryptCookies::class,
\Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse::class,
\Illuminate\Session\Middleware\StartSession::class,
\Illuminate\View\Middleware\ShareErrorsFromSession::class,
\App\Http\Middleware\VerifyCsrfToken::class,
\Illuminate\Routing\Middleware\SubstituteBindings::class,
],
'api' => [
\Laravel\Sanctum\Http\Middleware\EnsureFrontendRequestsAreStateful::class,
\Illuminate\Routing\Middleware\ThrottleRequests::class . ':api',
\Illuminate\Routing\Middleware\SubstituteBindings::class,
],
];
I tried many things, i even hosted the project with nginx, but i have same problem on hosted app.