From 6c59922e96ee79b406424b84bbae1d322b3003cc Mon Sep 17 00:00:00 2001
From: Thorsten Bus <thorsten@buss-labs.de>
Date: Mon, 2 Mar 2026 13:25:29 +0100
Subject: [PATCH] fix(auth): add Sanctum stateful middleware so SPA API routes
 work with session cookies

- Add EnsureFrontendRequestsAreStateful to api middleware stack
- Create config/sanctum.php with cts-work.test as stateful domain
- Fixes 'Unauthenticated' error on SongDB and other API-backed pages
---
 bootstrap/app.php  | 4 ++++
 config/sanctum.php | 5 +++++
 2 files changed, 9 insertions(+)
 create mode 100644 config/sanctum.php

diff --git a/bootstrap/app.php b/bootstrap/app.php
index 21c82ae..f470853 100644
--- a/bootstrap/app.php
+++ b/bootstrap/app.php
@@ -19,6 +19,10 @@
         $schedule->command('cts:sync')->hourly();
     })
     ->withMiddleware(function (Middleware $middleware): void {
+        $middleware->api(prepend: [
+            \Laravel\Sanctum\Http\Middleware\EnsureFrontendRequestsAreStateful::class,
+        ]);
+
         $middleware->web(append: [
             \App\Http\Middleware\HandleInertiaRequests::class,
             \Illuminate\Http\Middleware\AddLinkHeadersForPreloadedAssets::class,
diff --git a/config/sanctum.php b/config/sanctum.php
new file mode 100644
index 0000000..ce71635
--- /dev/null
+++ b/config/sanctum.php
@@ -0,0 +1,5 @@
+<?php
+
+return [
+    'stateful' => explode(',', env('SANCTUM_STATEFUL_DOMAINS', 'localhost,localhost:8000,127.0.0.1,127.0.0.1:8000,::1,cts-work.test')),
+];