'Laravel is returning a XSRF-COOKIE decrypted as cookie

So I'm following the default setup as in the Sanctum documentation, i make a request o csrf cookie route so Laravel triggers the Cookies and set to the request the XSRF-TOKEN, but the documentation says:

Laravel stores the current CSRF token in an encrypted XSRF-TOKEN cookie that is included with each response generated by the framework. You can use the cookie value to set the X-XSRF-TOKEN request header.

https://laravel.com/docs/9.x/csrf#csrf-x-csrf-token

This is the code of frontend i retrieve the Cookie every time and send in the X-XSRF-TOKEN header

const authLink = setContext(async (_, { headers }) => {
  const authToken = localStorage.getItem(AUTH_TOKEN_NAME)

  console.log(Cookie.get('XSRF-TOKEN'))

  return {
    headers: {
      ...headers,
      authorization: authToken ? `Bearer ${authToken}` : '',
      'X-XSRF-TOKEN': Cookie.get('XSRF-TOKEN')
    }
  }
})

Of course, this is executed everytime a request is made, so here is the relevant console log:

enter image description here

As you can see, for some reason Laravel is sending randomly a decrypted cookie in plain text, and some times a encrypted one.

Of course, it's important that only the encrypted cookie should be returned because the header X-XSRF-TOKEN is decrypted on backend every time, as you can see in \Illuminate\Foundation\Http\Middleware\VerifyCsrfToken:

/**
 * Get the CSRF token from the request.
 *
 * @param  \Illuminate\Http\Request  $request
 * @return string
 */
protected function getTokenFromRequest($request)
{
    $token = $request->input('_token') ?: $request->header('X-CSRF-TOKEN');

    if (! $token && $header = $request->header('X-XSRF-TOKEN')) {
        try {
            $token = CookieValuePrefix::remove($this->encrypter->decrypt($header, static::serialized()));
        } catch (DecryptException $e) {
            $token = '';
        }
    }

    return $token;
}

So, does anyone has any idea why Laravel is returning to me a randomly encrypted and decrypted csrf token, instead of only the encrypted one? Or even weirder, it's returning both tokens, in each request one type?

phplaravel


Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source

Related Questions