We Keep Coding

Laravel CSRF protection exception now working

My Laravel project is in this link
http://localhost/demo/public // laravel project
and I have this external HTML form
http://localhost/attendance
Now I want to send data from the form to Laravel
but I got this error
419
Page Expired
so in my laravel project VerifyCsrfToken Class I wrote this
class VerifyCsrfToken extends Middleware
{
/**
* The URIs that should be excluded from CSRF verification.
*
* #var array
*/
protected $except = [
'http://localhost/attendance'
];
}
but still, got the same error
419 Page Expired

Laravel resolve for you the baseUrl of your application, there is no need to put the full path, in your case the Middleware should be like below:
class VerifyCsrfToken extends Middleware
{
/**
* The URIs that should be excluded from CSRF verification.
*
* #var array
*/
protected $except = [
'attendance/*'
];
}

One solution would be to send the data as a GET request instead of a POST one.
Once you put your work online, you would face cross-site protection on the browser.
The URI to be excluded is the one receiving the request so http://localhost/demo/public

Instamojo Payment Integration - Webhook Issue

The response from the instamojo api is successfully extracted but the issue is that, the webhook service is not working. In this I've provided a webhook url in request and i want to exclude the CSRF verification, for that I've included Except array with 'instamojo/*' in middleware but still no use.
class VerifyCsrfToken extends Middleware
{
/**
* The URIs that should be excluded from CSRF verification.
*
* #var array
*/
protected $except = [
'instamojo/*',
];
}
The current Route
Route::post('webhook','HomeController#webhook');

It can be solved by adding the posting route name in middleware's Except section.
Here I added webhook/* in my middleware.
Route
Route::post('webhook','HomeController#webhook');
Middleware
class VerifyCsrfToken extends Middleware
{
/**
* The URIs that should be excluded from CSRF verification.
*
* #var array
*/
protected $except = [
'webhook/*',
];
}
It work's fine.Thank you.

How to handle post request in Laravel app from another app?

I expect in Laravel 5.2 app post request from other system, when I handle it I receive:
TokenMismatchException in VerifyCsrfToken.php line 67:
Normally when I send post form I add in code {{ csrf_field() }}, but in this case request is from different app. So how to handle it without error?

You can add the URIs that should be excluded from verification to the $except property in the VerifyCsrfToken middleware.
<?php
namespace App\Http\Middleware;
use Illuminate\Foundation\Http\Middleware\VerifyCsrfToken as BaseVerifier;
class VerifyCsrfToken extends BaseVerifier
{
/**
* The URIs that should be excluded from CSRF verification.
*
* #var array
*/
protected $except = [
'api/*',
];
}
Documentation

You can exclude URI, to which reuqest from another application is send, from CSRF protection. This is described in doc here

How to handle oauth2 and csrf token laravel

I installed Laravel 5.2 and oAuth2 Server Laravel
in my project. I have to use same function for web-site and web-api. For web-site my function is working properly but when I use same function for web-api shown error TokenMismatchException in VerifyCsrfToken.php line 67:.
My Route
/* for web*/
Route::post('admin/user_login', 'Auth\AuthController#authenticate');
/* for mobile api */
Route::group(['prefix'=>'api/','before' => 'oauth'], function()
{
Route::post('/user/login', 'Auth\AuthController#authenticate');
});
When I use this controller for web, this code working fine but when I call API that time shown error. How I can handle this? I have to use oAuth route and web route parallel. Thanks in advance.

you have to disable csrfToken verification for routes starting with api to do that edit your app/Http/Middleware/VerifyCsrfToken.php file and add api/* in the $except array the sample file from laravel app repo is as below
https://github.com/laravel/laravel/blob/5.2/app/Http/Middleware/VerifyCsrfToken.php
just make it something like
<?php
namespace App\Http\Middleware;
use Illuminate\Foundation\Http\Middleware\VerifyCsrfToken as BaseVerifier;
class VerifyCsrfToken extends BaseVerifier
{
/**
* The URIs that should be excluded from CSRF verification.
*
* #var array
*/
protected $except = [
'api/*'
];
}
also you have to remove oauth middleware from authenticate route, because during authentication the token is not available so route goes something like below
Route::group(['prefix'=>'api/'], function()
{
Route::post('/user/login', 'Auth\AuthController#authenticate');
Route::group(['middleware' => 'oauth'], function() {
// routes which needs oauth token verification.
})
});

How to have csrf token from mobile in Laravel Application

I am building a cordova application,
In the Login Authentication
From Web, I am sending the _token , email & password.
But From Mobile, I can't generate _token as it is basically a .html file.
I planned to do a request in the form document.ready to a controller which will generate _csrf token. So that i can use that token for that request.
But it can be watched from browser's Network Tab.
How can set the csrf _token to the form without others knowledge (safe way).
Or How it can be deal without any vulnerabilities

to disable csrf token for a specific url follow this.
First go to app/Http/Middleware/VerifyCsrfToken.php then use your url to avoid csrf token
protected $except = [
'my/url',
];

You can disable CSRF token checking in your laravel application for all routes. just open app/Http/Middleware/VerifyCsrfToken.php file and add '*' in $except array
Eg.
protected $except = [
'*'
];
my VerifyCsrfToken.php file
<?php
namespace App\Http\Middleware;
use Illuminate\Foundation\Http\Middleware\VerifyCsrfToken as BaseVerifier;
class VerifyCsrfToken extends BaseVerifier
{
/**
* The URIs that should be excluded from CSRF verification.
*
* #var array
*/
protected $except = [
'*'
];
}