fix(csrf-token): add leading dot to session domain cookie. (#224)

* fix(csrf-token): add leading dot to session domain cookie. * refactor: remove generate key, upgrade axios and keep session domain in null. * refactor: fix PSR-12 code styles for PHP 8.2 compatibility. --------- Co-authored-by: Darko Gjorgjijoski <5760249+gdarko@users.noreply.github.com>
2026-04-07 13:41:23 +00:00 · 2025-08-28 02:44:34 -05:00
parent bf0d98c69c
commit 8e96d3e972
13 changed files with 59 additions and 69 deletions
--- a/app/Space/EnvironmentManager.php
+++ b/app/Space/EnvironmentManager.php
@@ -104,14 +104,22 @@ class EnvironmentManager
     */
    public function saveDatabaseVariables(DatabaseEnvironmentRequest $request)
    {
+        $appUrl = $request->get('app_url');
+        if ($appUrl !== config('app.url')) {
+            config(['app.url' => $appUrl]);
+        }
+        [$sanctumDomain, $sessionDomain] = $this->getDomains(
+            $request->getHttpHost()
+        );
        $dbEnv = [
-            'APP_URL' => $request->get('app_url'),
+            'APP_URL' => $appUrl,
            'APP_LOCALE' => $request->get('app_locale'),
            'DB_CONNECTION' => $request->get('database_connection'),
-            'SANCTUM_STATEFUL_DOMAINS' => $request->get('app_domain'),
-            'SESSION_DOMAIN' => explode(':', $request->get('app_domain'))[0],
+            'SESSION_DOMAIN' => $sessionDomain,
        ];
-
+        if ($sanctumDomain !== null) {
+            $dbEnv['SANCTUM_STATEFUL_DOMAINS'] = $sanctumDomain;
+        }
        if ($dbEnv['DB_CONNECTION'] != 'sqlite') {
            if ($request->has('database_username') && $request->has('database_password')) {
                $dbEnv['DB_HOST'] = $request->get('database_hostname');
@@ -462,10 +470,16 @@ class EnvironmentManager
    public function saveDomainVariables(DomainEnvironmentRequest $request)
    {
        try {
-            $this->updateEnv([
-                'SANCTUM_STATEFUL_DOMAINS' => $request->get('app_domain'),
-                'SESSION_DOMAIN' => explode(':', $request->get('app_domain'))[0],
-            ]);
+            [$sanctumDomain, $sessionDomain] = $this->getDomains(
+                $request->get('app_domain')
+            );
+            $domainEnv = [
+                'SESSION_DOMAIN' => $sessionDomain,
+            ];
+            if ($sanctumDomain !== null) {
+                $domainEnv['SANCTUM_STATEFUL_DOMAINS'] = $sanctumDomain;
+            }
+            $this->updateEnv($domainEnv);
        } catch (Exception $e) {
            return [
                'error' => 'domain_verification_failed',
@@ -505,4 +519,25 @@ class EnvironmentManager

        file_put_contents($this->envPath, trim($formatted));
    }
+
+    private function getDomains(string $requestDomain): array
+    {
+        $appUrl = config('app.url');
+
+        $port = parse_url($appUrl, PHP_URL_PORT);
+        $currentDomain = parse_url($appUrl, PHP_URL_HOST).(
+            $port ? ':'.$port : ''
+        );
+
+        $requestHost = parse_url($requestDomain, PHP_URL_HOST) ?: $requestDomain;
+
+        $isSame = $currentDomain === $requestDomain;
+
+        return [
+            $isSame && env('SANCTUM_STATEFUL_DOMAINS', false) === false ?
+            null : $requestDomain,
+            $isSame && env('SESSION_DOMAIN', false) === null ?
+                null : $requestHost,
+        ];
+    }
 }