Skip to content

fix: replace localhost with machine IP in provision.sh and Laravel config to resolve CSRF issues #72

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Felkng merged 13 commits into from
May 19, 2026
Merged

fix: replace localhost with machine IP in provision.sh and Laravel config to resolve CSRF issues #72

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
13 commits
Select commit Hold shift + click to select a range
ea5893e
fix: replace localhost with machine IP in provision.sh and config to …
google-labs-jules[bot] May 19, 2026
5c1cebb
fix: improve IP detection in provision.sh to avoid docker bridges
google-labs-jules[bot] May 19, 2026
4866505
fix: address PR review feedback on provision.sh, cors.php, and sanctu…
google-labs-jules[bot] May 19, 2026
5236c42
Potential fix for pull request finding
Felkng May 19, 2026
66bf876
fix: enforce ipv4 and set session domain dynamically
google-labs-jules[bot] May 19, 2026
0c8a9cd
fix(auth): resolve mixed content and CSRF issues for tunnels
Felkng May 19, 2026
2f880f2
fix(auth): enforce relative paths and proxy usage to resolve Mixed Co…
Felkng May 19, 2026
0c7c95d
fix(provision): ensure correct cookie and proxy settings for public d…
Felkng May 19, 2026
89c39ab
fix(api): use relative paths and fix auth token keys
Felkng May 19, 2026
6cbe76e
fix: handle allowedHosts dynamically and revert destructive frontend …
google-labs-jules[bot] May 19, 2026
7d1e0ef
chore(config): automate Vite allowedHosts in provision script
Felkng May 19, 2026
fc8e0a6
fix(api): restore working relative paths and session security
Felkng May 19, 2026
5efbdcf
chore(config): clean up allowedHosts in vite.config.ts
Felkng May 19, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion back/src/app/Http/Middleware/TrustProxies.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ class TrustProxies extends Middleware
*
* @var array<int, string>|string|null
*/
protected $proxies;
protected $proxies = '*';

/**
* The headers that should be used to detect proxies.
Expand Down
2 changes: 1 addition & 1 deletion back/src/config/cors.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@

'allowed_methods' => ['*'],

'allowed_origins' => [env('FRONTEND_URL', 'http://localhost:5173')],
'allowed_origins' => explode(',', env('FRONTEND_URL', 'http://localhost:5173')),

'allowed_origins_patterns' => [],

Expand Down
4 changes: 2 additions & 2 deletions back/src/config/session.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -155,7 +155,7 @@
|
*/

'domain' => env('SESSION_DOMAIN', 'localhost'),
'domain' => env('SESSION_DOMAIN') === '' ? null : env('SESSION_DOMAIN', 'localhost'),

/*
|--------------------------------------------------------------------------
Expand All @@ -168,7 +168,7 @@
|
*/

'secure' => env('SESSION_SECURE_COOKIE'),
'secure' => env('SESSION_SECURE_COOKIE', false),

/*
|--------------------------------------------------------------------------
Expand Down
4 changes: 2 additions & 2 deletions front/src/components/Header.tsx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -86,11 +86,11 @@ export default function Header() {

async function handleLogout() {
try {
await axios.get(`${import.meta.env.VITE_API_URL}/sanctum/csrf-cookie`, {
await axios.get(`/sanctum/csrf-cookie`, {
withCredentials: true,
});
await axios.post(
`${import.meta.env.VITE_API_URL}/logout`,
`/logout`,
{},
{
headers: {
Expand Down
4 changes: 2 additions & 2 deletions front/src/context/UserContext.tsx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,13 +17,13 @@ export function UserProvider({ children }: { children: React.ReactNode }) {
const token = localStorage.getItem("auth_token");
if (token) {
Promise.all([
axios.get(`${import.meta.env.VITE_API_URL}/api/user`, {
axios.get(`/api/user`, {
headers: {
Authorization: `Bearer ${token}`,
Accept: "application/json"
}
}),
axios.get(`${import.meta.env.VITE_API_URL}/api/user/roles`, {
axios.get(`/api/user/roles`, {
headers: {
Authorization: `Bearer ${token}`,
Accept: "application/json"
Expand Down
2 changes: 1 addition & 1 deletion front/src/main.tsx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ import RealtimeNotifications from "./components/RealtimeNotifications.tsx";
import axios from "axios";

// Configure axios defaults for the app: base URL and send credentials (for Sanctum)
const API_URL = import.meta.env?.VITE_API_URL || "http://localhost:8000";
const API_URL = import.meta.env?.VITE_API_URL || "";
axios.defaults.baseURL = API_URL;
axios.defaults.withCredentials = true;

Expand Down
4 changes: 2 additions & 2 deletions front/src/pages/login/Login.tsx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,13 +47,13 @@ export default function Login() {
localStorage.setItem("auth_token", token);

const [userRes, rolesRes] = await Promise.all([
axios.get(`${import.meta.env.VITE_API_URL}/api/user`, {
axios.get(`/api/user`, {
headers: {
Authorization: `Bearer ${token}`,
Accept: "application/json",
},
}),
axios.get(`${import.meta.env.VITE_API_URL}/api/user/roles`, {
axios.get(`/api/user/roles`, {
headers: {
Authorization: `Bearer ${token}`,
Accept: "application/json",
Expand Down
3 changes: 1 addition & 2 deletions front/src/pages/perfil/ProfileView.tsx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -109,10 +109,9 @@ function ProfileHeader({ user, setUser, setNotification }: ProfileHeaderProps) {
const userInitial = displayName.charAt(0).toUpperCase();

async function onSave() {
const token = localStorage.getItem("auth_token") || "";
try {
setSaving(true);
const data = await updateName(name, token);
const data = await updateName(name);
setUser({ ...user, name: data.name });
setEditing(false);
setNotification({ type: "success", message: "Nome atualizado com sucesso." });
Expand Down
2 changes: 1 addition & 1 deletion front/src/services/ActivitiesService.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ import { fakePageActivities } from "../mocks";
import axios from "axios";
import Cookies from "js-cookie";

const API_URL = import.meta.env.VITE_API_URL;
const API_URL = "";

function getHeaders() {
return {
Expand Down
4 changes: 2 additions & 2 deletions front/src/services/ChangePasswordService.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,11 +8,11 @@ export async function changePassword({
newPasswordConfirmation
}: ChangePasswordRequest): Promise<void> {

await axios.get(`${import.meta.env.VITE_API_URL}/sanctum/csrf-cookie`, {
await axios.get(`/sanctum/csrf-cookie`, {
withCredentials: true
});

await axios.post(`${import.meta.env.VITE_API_URL}/api/user/change-password`, {
await axios.post(`/api/user/change-password`, {
current_password: currentPassword,
new_password: newPassword,
new_password_confirmation: newPasswordConfirmation
Expand Down
24 changes: 12 additions & 12 deletions front/src/services/ClassesService.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ import type {
AddStudentToClassDTO,
} from "@/types/classes";

const API_URL = import.meta.env.VITE_API_URL || "http://localhost:8000/api";
const API_URL = import.meta.env?.VITE_API_URL || "";

const api = axios.create({
baseURL: API_URL,
Expand Down Expand Up @@ -39,7 +39,7 @@ function handleAuthError(error: unknown) {

// Interceptor para adicionar token se necessário
api.interceptors.request.use((config) => {
const token = localStorage.getItem("token");
const token = localStorage.getItem("auth_token");
if (token) {
config.headers.Authorization = `Bearer ${token}`;
}
Expand All @@ -49,7 +49,7 @@ api.interceptors.request.use((config) => {
export const ClassesService = {
// Listar todas as turmas
getAllClasses: async (): Promise<Class[]> => {
const response = await api.get("api/turmas", {
const response = await api.get("/api/turmas", {
headers:getAuthHeaders(),
withCredentials:true
});
Expand All @@ -58,7 +58,7 @@ export const ClassesService = {

// Buscar turma por ID
getClassById: async (id: number): Promise<Class> => {
const response = await api.get(`api/turmas/${id}`, {
const response = await api.get(`/api/turmas/${id}`, {
headers:getAuthHeaders(),
withCredentials:true
});
Expand All @@ -67,7 +67,7 @@ export const ClassesService = {

// Criar nova turma
createClass: async (data: CreateClassDTO): Promise<Class> => {
const response = await api.post("api/turmas", data, {
const response = await api.post("/api/turmas", data, {
headers:getAuthHeaders(),
withCredentials:true
});
Expand All @@ -76,7 +76,7 @@ export const ClassesService = {

// Atualizar turma
updateClass: async (id: number, data: UpdateClassDTO): Promise<Class> => {
const response = await api.put(`api/turmas/${id}`, data, {
const response = await api.put(`/api/turmas/${id}`, data, {
headers:getAuthHeaders(),
withCredentials:true
});
Expand All @@ -85,15 +85,15 @@ export const ClassesService = {

// Deletar turma
deleteClass: async (id: number): Promise<void> => {
await api.delete(`api/turmas/${id}`, {
await api.delete(`/api/turmas/${id}`, {
headers:getAuthHeaders(),
withCredentials:true
});
},

// Buscar turmas de um professor
getClassesByTeacher: async (): Promise<Class[]> => {
const response = await api.get(`api/turmas`, {
const response = await api.get(`/api/turmas`, {
headers:getAuthHeaders(),
withCredentials:true
});
Expand All @@ -102,7 +102,7 @@ export const ClassesService = {

// Buscar turmas de um aluno
getClassesByStudent: async (): Promise<Class[]> => {
const response = await api.get(`api/turmas`, {
const response = await api.get(`/api/turmas`, {
headers:getAuthHeaders(),
withCredentials:true
});
Expand All @@ -112,7 +112,7 @@ export const ClassesService = {
// Buscar alunos de uma turma
getClassStudents: async (id: number): Promise<ClassStudent[]> => {
try {
const response = await api.get(`api/turmas/${id}`, {
const response = await api.get(`/api/turmas/${id}`, {
headers: getAuthHeaders(),
withCredentials: true
});
Expand All @@ -139,7 +139,7 @@ export const ClassesService = {
// Adicionar aluno a uma turma
addStudentToClass: async (classId: number, data: AddStudentToClassDTO): Promise<void> => {
try {
await api.post(`api/turmas/${classId}/vincular-aluno/${data.studentId}`, {}, {
await api.post(`/api/turmas/${classId}/vincular-aluno/${data.studentId}`, {}, {
headers: getAuthHeaders(),
withCredentials: true
});
Expand All @@ -152,7 +152,7 @@ export const ClassesService = {
// Remover aluno de uma turma
removeStudentFromClass: async (classId: number, studentId: number): Promise<void> => {
try {
await api.delete(`api/turmas/${classId}/desvincular-aluno/${studentId}`, {
await api.delete(`/api/turmas/${classId}/desvincular-aluno/${studentId}`, {
headers: getAuthHeaders(),
withCredentials: true
});
Expand Down
2 changes: 1 addition & 1 deletion front/src/services/CoursesService.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,7 @@ function handleAuthError(error: unknown) {
*/
export async function getAllCourses(): Promise<Curso[]> {
try {
const response = await axios.get(`${import.meta.env.VITE_API_URL}/api/cursos`, {
const response = await axios.get(`/api/cursos`, {
headers: getAuthHeaders(),
withCredentials: true,
});
Expand Down
8 changes: 4 additions & 4 deletions front/src/services/ForgotPasswordService.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,11 +2,11 @@ import axios from "axios";
import Cookies from "js-cookie";

export async function sendForgotPasswordEmail(email: string): Promise<void> {
await axios.get(`${import.meta.env.VITE_API_URL}/sanctum/csrf-cookie`, {
await axios.get(`/sanctum/csrf-cookie`, {
withCredentials: true
});

await axios.post(`${import.meta.env.VITE_API_URL}/api/forgot-password-temp`, {
await axios.post(`/api/forgot-password-temp`, {
email
}, {
withCredentials: true,
Expand All @@ -24,11 +24,11 @@ export async function resetPassword(data: {
password: string;
password_confirmation: string;
}): Promise<void> {
await axios.get(`${import.meta.env.VITE_API_URL}/sanctum/csrf-cookie`, {
await axios.get(`/sanctum/csrf-cookie`, {
withCredentials: true
});

await axios.post(`${import.meta.env.VITE_API_URL}/reset-password`, data, {
await axios.post(`/reset-password`, data, {
withCredentials: true,
headers: {
'Content-Type': 'application/json',
Expand Down
16 changes: 8 additions & 8 deletions front/src/services/JamSessionService.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ import axios from "axios";
import Cookies from "js-cookie";
import type { JamSession, CreateJamSessionDTO, JamParticipant } from "@/types/jam";

const API_URL = import.meta.env.VITE_API_URL || "http://localhost:8000/api";
const API_URL = import.meta.env?.VITE_API_URL || "";
const WS_URL = import.meta.env.VITE_WS_URL || "ws://localhost:3002";

const api = axios.create({
Expand All @@ -24,55 +24,55 @@ function getAuthHeaders() {

export const JamSessionService = {
getByTurma: async (turmaId: number): Promise<JamSession[]> => {
const response = await api.get(`api/jam-sessions?turma_id=${turmaId}`, {
const response = await api.get(`/api/jam-sessions?turma_id=${turmaId}`, {
headers: getAuthHeaders(),
withCredentials: true,
});
return response.data;
},

getById: async (id: number): Promise<JamSession> => {
const response = await api.get(`api/jam-sessions/${id}`, {
const response = await api.get(`/api/jam-sessions/${id}`, {
headers: getAuthHeaders(),
withCredentials: true,
});
return response.data;
},

create: async (data: CreateJamSessionDTO): Promise<JamSession> => {
const response = await api.post("api/jam-sessions", data, {
const response = await api.post("/api/jam-sessions", data, {
headers: getAuthHeaders(),
withCredentials: true,
});
return response.data;
},

start: async (id: number): Promise<JamSession> => {
const response = await api.post(`api/jam-sessions/${id}/start`, {}, {
const response = await api.post(`/api/jam-sessions/${id}/start`, {}, {
headers: getAuthHeaders(),
withCredentials: true,
});
return response.data;
},

finish: async (id: number): Promise<JamSession> => {
const response = await api.post(`api/jam-sessions/${id}/finish`, {}, {
const response = await api.post(`/api/jam-sessions/${id}/finish`, {}, {
headers: getAuthHeaders(),
withCredentials: true,
});
return response.data;
},

join: async (id: number): Promise<JamParticipant> => {
const response = await api.post(`api/jam-sessions/${id}/join`, {}, {
const response = await api.post(`/api/jam-sessions/${id}/join`, {}, {
headers: getAuthHeaders(),
withCredentials: true,
});
return response.data;
},

getActiveForTurma: async (turmaId: number): Promise<JamSession | null> => {
const response = await api.get(`api/turmas/${turmaId}/jam-session/active`, {
const response = await api.get(`/api/turmas/${turmaId}/jam-session/active`, {
headers: getAuthHeaders(),
withCredentials: true,
});
Expand Down
4 changes: 2 additions & 2 deletions front/src/services/LoginService.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,12 +4,12 @@ import Cookies from "js-cookie";

export async function login({ email, password }: LoginRequest): Promise<string>{

await axios.get(`${import.meta.env.VITE_API_URL}/sanctum/csrf-cookie`, {
await axios.get(`/sanctum/csrf-cookie`, {
withCredentials: true
});


const res = await axios.post(`${import.meta.env.VITE_API_URL}/login`, {
const res = await axios.post(`/login`, {
email,
password
}, {
Expand Down
Loading
Loading