From dc723855df404a0c3e5ba29db5ffe97306056db3 Mon Sep 17 00:00:00 2001 From: BT Date: Mon, 4 May 2026 00:15:37 +0200 Subject: [PATCH] =?UTF-8?q?=E2=9C=A8=20**Nostr=20Login:**=20Improved=20CSR?= =?UTF-8?q?F=20token=20handling=20during=20login=20flow.?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - 🛡️ Avoided redundant `Session::regenerate` call as `Auth::loginUsingId` already updates the session ID. - 🚀 Replaced `wire:navigate` with a full-page redirect to ensure a fresh CSRF token for Livewire actions. --- resources/views/livewire/auth/login.blade.php | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/resources/views/livewire/auth/login.blade.php b/resources/views/livewire/auth/login.blade.php index 0c3aece..2a58829 100644 --- a/resources/views/livewire/auth/login.blade.php +++ b/resources/views/livewire/auth/login.blade.php @@ -137,13 +137,19 @@ class extends Component { ]); } FetchNostrProfileJob::dispatch($user); + // Auth::loginUsingId() already regenerates the session id (see + // SessionGuard::updateSession), so an explicit Session::regenerate() + // would just rotate the CSRF token a second time. We also avoid + // wire:navigate here: it preserves the tag + // from the previous page, so any subsequent Livewire action on the + // destination would 419 (TokenMismatch). A full-page redirect gives + // the browser a fresh document with a fresh token. Auth::loginUsingId($user->id); - Session::regenerate(); + $this->redirectIntended( default: route('dashboard', ['country' => str(session('lang_country', config('app.domain_country')))->after('-')->lower()], absolute: false), - navigate: true, ); return;