Laravel issue (419 Page Expired) when using Bref; no issue when deploying to a droplet, etc.

[nexxai]

Description:

I am trying to convert my site from running on a single droplet to a serverless format; I believe I've got most of it done, but Laravel seems to be rejecting my CSRF token and I can't seem to figure out why. I don't necessarily believe this is a problem with bref, but rather trying to understand what is different between bref and not that might help me narrow down the problem, and not sure where else bref community members congregate.

Everything else about bref works great; I feel like this is the last major stumbling block before I can fully migrate to a fully serverless platform.

Things I've checked:

• It can't be anything database connection or permission related, since the migrations run normally
• The site key is set in the APP_KEY environment variable that's being pulled down from the Parameter Store (I've currently got it set to a datatype of "String", just in case "SecureString" has some extra decryption step necessary to read and use it)
• I've confirmed that it is posting back to the correct CloudFront URL (I have not set up any custom domains yet)
• The BrefServiceProvider automatically sets the trustedproxy values to 0.0.0.0/0 and 2000::0/3
• It also checks if the session driver is file, and if so, automatically change the config to use the cookie driver, which should be fine
• I have confirmed that the VerifyCsrfToken middleware is being applied in the $middlewareGroups section of the app/Http/Kernel.php file
• I do not have a custom domain set up at this time
• I am not setting a SESSION_PATH
• I have ensured that the configuration cache is being cleared before each deployment

How to reproduce:

1. Deploy the serverless.yml shown below
2. Attempt to perform any action requiring a form with CSRF protection

serverless.yml:

service: my-real-site-name-goes-here

provider:
  name: aws
  # The AWS region in which to deploy (us-east-1 is the default)
  region: us-east-1
  # Environment variables
  environment:    
    APP_DEBUG: bref-ssm:/my-real-site-name-goes-here-prod/APP_DEBUG
    APP_ENV: production # Or use ${sls:stage} if you want the environment to match the stage
    APP_KEY: bref-ssm:/my-real-site-name-goes-here-prod/APP_KEY
    APP_NAME: bref-ssm:/my-real-site-name-goes-here-prod/APP_NAME
    APP_URL: bref-ssm:/my-real-site-name-goes-here-prod/APP_URL
    AWS_BUCKET: bref-ssm:/my-real-site-name-goes-here-prod/AWS_BUCKET
    AWS_URL: bref-ssm:/my-real-site-name-goes-here-prod/AWS_URL
    AWS_USE_PATH_STYLE_ENDPOINT: bref-ssm:/my-real-site-name-goes-here-prod/AWS_USE_PATH_STYLE_ENDPOINT
    BROADCAST_DRIVER: bref-ssm:/my-real-site-name-goes-here-prod/BROADCAST_DRIVER
    CACHE_DRIVER: bref-ssm:/my-real-site-name-goes-here-prod/CACHE_DRIVER
    CASHIER_CURRENCY: bref-ssm:/my-real-site-name-goes-here-prod/CASHIER_CURRENCY
    DB_CONNECTION: bref-ssm:/my-real-site-name-goes-here-prod/DB_CONNECTION
    DB_DATABASE: bref-ssm:/my-real-site-name-goes-here-prod/DB_DATABASE
    DB_HOST: bref-ssm:/my-real-site-name-goes-here-prod/DB_HOST
    DB_PASSWORD: bref-ssm:/my-real-site-name-goes-here-prod/DB_PASSWORD
    DB_PORT: bref-ssm:/my-real-site-name-goes-here-prod/DB_PORT
    DB_USERNAME: bref-ssm:/my-real-site-name-goes-here-prod/DB_USERNAME
    DEMO_MODE_ENABLED: bref-ssm:/my-real-site-name-goes-here-prod/DEMO_MODE_ENABLED
    DYNAMODB_CACHE_TABLE: !Ref CacheTable
    FILESYSTEM_DISK: bref-ssm:/my-real-site-name-goes-here-prod/FILESYSTEM_DISK
    LOG_CHANNEL: bref-ssm:/my-real-site-name-goes-here-prod/LOG_CHANNEL
    LOG_DEPRECATIONS_CHANNEL: bref-ssm:/my-real-site-name-goes-here-prod/LOG_DEPRECATIONS_CHANNEL
    LOG_LEVEL: bref-ssm:/my-real-site-name-goes-here-prod/LOG_LEVEL
    MAIL_FROM_ADDRESS: bref-ssm:/my-real-site-name-goes-here-prod/MAIL_FROM_ADDRESS
    MAIL_FROM_NAME: bref-ssm:/my-real-site-name-goes-here-prod/MAIL_FROM_NAME
    MAIL_MAILER: bref-ssm:/my-real-site-name-goes-here-prod/MAIL_MAILER
    MYSQL_ATTR_SSL_CA: bref-ssm:/my-real-site-name-goes-here-prod/MYSQL_ATTR_SSL_CA
    QUEUE_CONNECTION: sqs
    RAPIDAPI_FOOTBALL_HOST: bref-ssm:/my-real-site-name-goes-here-prod/RAPIDAPI_FOOTBALL_HOST
    RAPIDAPI_NHL_MLB_HOST: bref-ssm:/my-real-site-name-goes-here-prod/RAPIDAPI_NHL_MLB_HOST
    SQS_QUEUE: ${construct:jobs.queueUrl}

  iam:
    role:
      statements:
        - Effect: Allow
          Resource: !GetAtt CacheTable.Arn
          Action:
            - dynamodb:DescribeTable
            - dynamodb:Query
            - dynamodb:Scan
            - dynamodb:GetItem
            - dynamodb:PutItem
            - dynamodb:UpdateItem
            - dynamodb:DeleteItem
        - Effect: Allow
          Action: ssm:GetParameters
          Resource: "arn:aws:ssm:${aws:region}:${aws:accountId}:parameter/*"
        - Effect: Allow
          Action: s3:*
          Resource:
            - !Sub "${Storage.Arn}" # the storage bucket
            - !Sub "${Storage.Arn}/*" # and everything inside

package:
  # Files and directories to exclude from deployment
  patterns:
    - "!node_modules/**"
    - "!public/storage"
    - "!resources/assets/**"
    - "!storage/**"
    - "!tests/**"

functions:
  # This function runs the Laravel website/API
  web:
    handler: public/index.php
    runtime: php-81-fpm
    timeout: 28 # in seconds (API Gateway has a timeout of 29 seconds)
    events:
      - httpApi: "*"

  # This function lets us run artisan commands in Lambda
  artisan:
    handler: artisan
    runtime: php-81-console
    timeout: 720 # in seconds
    events:
      - schedule:
          rate: rate(1 minute)
          input: '"schedule:run"'

plugins:
  # We need to include the Bref plugin
  - ./vendor/bref/bref
  - serverless-lift

constructs:
  website:
    type: server-side-website
    assets:
      "/build/*": public/build
      "/fonts/*": public/fonts
      "/images/*": public/images
      "/vendor/*": public/vendor
      "/favicon.ico": public/favicon.ico
      "/robots.txt": public/robots.txt
      "/android-chrome-192x192.png": public/android-chrome-192x192.png
      "/android-chrome-512x512.png": public/android-chrome-512x512.png
      "/apple-touch-icon.png": public/apple-touch-icon.png
      "/browserconfig.xml": public/browserconfig.xml
      "/favicon-16x16.png": public/favicon-16x16.png
      "/favicon-32x32.png": public/favicon-32x32.png
      "/mstile-150x150.png": public/mstile-150x150.png
      "/safari-pinned-tab.svg": public/safari-pinned-tab.svg
      "/site.webmanifest": public/site.webmanifest
  jobs:
    type: queue
    worker:
      handler: Bref\LaravelBridge\Queue\QueueHandler
      runtime: php-81
      timeout: 60 # seconds

resources:
  Resources:
    Storage:
      Type: AWS::S3::Bucket
    CacheTable:
      Type: AWS::DynamoDB::Table
      Properties:
        AttributeDefinitions: # only keys are defined here, other attributes are dynamic
          - AttributeName: id # adds a mandatory id field
            AttributeType: S # the type of id is a string
        BillingMode: PAY_PER_REQUEST # billed for each request instead of paying for a constant capacity
        TimeToLiveSpecification: # deletes cache keys automatically based on a ttl field which contains a timestamp
          AttributeName: ttl
          Enabled: true
        KeySchema:
          - AttributeName: id
            KeyType: HASH # the type of key, HASH means partition key (similar to primary keys in SQL)

[mnapoli]

Hi, welcome!

The main culprit would be either the domain name, or the session storage. Could you double-check in your browser that a session cookie is set? When you refresh the page is it changing?

[nexxai]

So I was working on this last night with someone and managed to figure it out.

When I wasn't setting any SESSION_DRIVER, even though the Laravel docs say that it defaults to using file (which Bref should then convert to cookie), it didn't seem like it was working. No cookie was being set, etc.

I finally decided to try hardcoding the SESSION_DRIVER to cookie and all was resolved. Maybe the docs could be a little more explicit about how in this case "no driver != file driver"?

Either way, once I hardcoded that, I was able to login and the CSRF / 419 Page Expired issues were gone.

Thanks for everything you guys to for the community!

[mnapoli]

Ohh that's weird indeed! It should automatically work: https://github.com/brefphp/laravel-bridge/blob/master/src/BrefServiceProvider.php#L135-L137

But maybe something changed in Laravel and it broke? 🤔 I'm going to keep that in mind if anyone else reports that, thank you!