So I have an application that sends an AJAX request to an external server which does some stuff then makes a post call to the laravel application that made the initial call.
So I am trying to do a POST call to the laravel application. Now from the AJAX request i am sending the csrf_token()
Here are the headers I've put into my post request:
X-CSRF-TOKEN: LO8Dg7j1jZssXXGSLIa8inBgh2Y1QSsp6Birc1Ui
X-Requested-With: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded
That token belongs to the logged in user that made the AJAX request. Now the problem i'm getting is from this i get a TokenMismatchException500 error.
Is there something else I need to do in my external post calls headers in order to not encounter this error?
As i've got the CSRF token i am using a rest client to try send a test post using those headers and I get the same error?
The aim is on the recieving laravel app controller will then be able to use the token and i'll be able to use $request->user(); to get the user.
Note the recieving route has the web middleware attached to it.
Since you are making request from another server external url.Because of this you are getting erorr.Csrf token works with the same application not working if you try to exicute from other application. so you can disable csrf token.
if you want to disable token for all request then add this in VerifyCsrfToken
protected $except = [
'/*',
];
Excluding URIs From CSRF Protection
Sometimes you may wish to exclude a set of URIs from CSRF protection. For example, if you are using Stripe to process payments and are utilizing their webhook system, you will need to exclude your Stripe webhook handler route from CSRF protection since Stripe will not know what CSRF token to send to your routes.
Typically, you should place these kinds of routes outside of the web middleware group that the RouteServiceProvider applies to all routes in the routes/web.php file. However, you may also exclude the routes by adding their URIs to the $except property of the VerifyCsrfToken middleware:
<?php
namespace App\Http\Middleware;
use Illuminate\Foundation\Http\Middleware\VerifyCsrfToken as BaseVerifier;
class VerifyCsrfToken extends BaseVerifier
{
/**
* The URIs that should be excluded from CSRF verification.
*
* #var array
*/
protected $except = [
'stripe/*',
];
}
Ref:
https://laravel.com/docs/5.5/csrf
Related
I'm trying to implement IPN in my Laravel project, a post request from my website is working thanks to "csrf",
i try to implement it like written here:
https://developer.paypal.com/docs/api-basics/notifications/ipn/ht-ipn/
in my routes/web.php:
Route::post('i', [IController::class, 'y'])->name('i');
and in IController whats written on the side:
public function y()
{
error_log('function y called');
// STEP 1: read POST data
// Reading POSTed data directly from $_POST causes serialization issues with array data in the POST.
// Instead, read raw POST data from the input stream.
$raw_post_data = file_get_contents('php://input');............
The error_log doesn't show up, means the function is never entered.
Question: How can i force Laravel to except POSTS From Paypal?
You can Exclude URIs From CSRF Protection in laravel.
Goto App\Http\Middleware\VerifyCsrfToken and add url which you want to exclude csrf token.
<?php
namespace App\Http\Middleware;
use Illuminate\Foundation\Http\Middleware\VerifyCsrfToken as Middleware;
class VerifyCsrfToken extends Middleware
{
/**
* The URIs that should be excluded from CSRF verification.
*
* #var array
*/
protected $except = [
'i',
];
}
As document says
Sometimes you may wish to exclude a set of URIs from CSRF protection.
For example, if you are using Stripe to process payments and are
utilizing their webhook system, you will need to exclude your Stripe
webhook handler route from CSRF protection since Stripe will not know
what CSRF token to send to your routes.
Typically, you should place these kinds of routes outside of the web
middleware group that the App\Providers\RouteServiceProvider applies
to all routes in the routes/web.php file. However, you may also
exclude the routes by adding their URIs to the $except property of the
VerifyCsrfToken middleware:
Ref:https://laravel.com/docs/8.x/csrf#csrf-excluding-uris
I want to implement socket with Echo in laravel. I have an API beside my main laravel project. In my laravel project all events are triggered and sockets working correctly. But in API it doesn't work and it returns 419 error. Client can not be authenticated, got HTTP status 419. I figured out that it needs CSRF token however in API we don't have it. By the way when I comment \App\Http\Middleware\VerifyCsrfToken::class in App\Http\Kernel.php it works!
How can I add it to an exception that if an user sending request to API not to verify its CSRF token?
Btw, you can put URIs that you want to make as exception inside this file app/Http/Middleware/VerifyCsrfToken.php at following line:
/**
* The URIs that should be excluded from CSRF verification.
*
* #var array
*/
protected $except = [
//
];
Those URIs under $except property will be ignore
I am trying to create a RESTful API by using Laravel. I have created my controller using php artisan make:controller RestController and this is my controller code:
<?php
namespace App\Http\Controllers;
use Illuminate\Http\Request;
class RestController extends Controller
{
private $arr = array(
array("name"=>"jon", "family"=>"doe"),
array("name"=>"jhon", "family" => "doue")
);
public function index(){
return json_encode($this->arr);
}
public function store(Request $request){
return "oops!!";
}
public function update (Request $request, $id){
return "test";
}
}
I have added this line of code to create this route in my routes/web.php file:
Route::resource('person', 'RestController');
When I try to test this api on GET /person it works fine but on POST and PUT I am getting a 419 status code from Laravel.
If you are developing REST APIs, you better not add tokens. If you are using 5.4 or 5.5 you can use api.php instead of web.php. In api.php you don't need token verification on post requests.
If you are using web.php, then you can exclude routes that you don't want to validate with CSRF Tokens.
Here is the official documentation:
Excluding URIs From CSRF Protection
Sometimes you may wish to exclude a set of URIs from CSRF protection. For example, if you are using Stripe to process payments and are utilizing their webhook system, you will need to exclude your Stripe webhook handler route from CSRF protection since Stripe will not know what CSRF token to send to your routes.
Typically, you should place these kinds of routes outside of the web middleware group that the RouteServiceProvider applies to all routes in the routes/web.php file. However, you may also exclude the routes by adding their URIs to the $except property of the VerifyCsrfToken middleware:
<?php
namespace App\Http\Middleware;
use Illuminate\Foundation\Http\Middleware\VerifyCsrfToken as BaseVerifier;
class VerifyCsrfToken extends BaseVerifier
{
/**
* The URIs that should be excluded from CSRF verification.
*
* #var array
*/
protected $except = [
'stripe/*',
'http://example.com/foo/bar',
'http://example.com/foo/*',
];
}
For reference https://laravel.com/docs/5.5/csrf
As per my Knowledge there are two methods to solve this
Method 1: Add CsrF Token
Method 2: Exclude URIs from CSRF protection
How to use
Method 1: Add one more variable to your POST request
_token: "{{ csrf_token() }}"
Example for Ajax
req = $.ajax({
type: "POST",
url: "/search",
data: {
"key": "value",
_token: "{{ csrf_token() }}",
},
dataType: "text",
success: function(msg) {
// ...
}
});
Example if you using forms
<input type="hidden" name="_token" id="token" value="{{ csrf_token() }}">
Method 2: There is a file named VerifyCsrfToken in following location
yourProjectDirectory/app/Http/Middleware
Add your URL in following method
protected $except = [
'url1/',
'url2/',
];
When To use
If you are the owner(full control) of API, use Method 1, as CSRF Token adds security to your application.
If you are unable to add CSRF Token like in case if you are using any third party API's, webhooks etc., then go for Method 2.
This can solve by excluding csrf protection of specific route you want to.
Inside your middleware folder, edit the file called VerifyCsrfToken.php
protected $except = [
'http://127.0.0.1:8000/person/'
];
I solved this problem by changing my server cache setting.
You can disable all of your caching systems (Nginx, Cloudflare, ...) to check it and then
turn it on by applying QueryString + Cookie to prevent caching a page with old csrf token in it.
I had the same issue when did POST requests to a Laravel API.
I solved the issue sending Accept: application/json in the headers request.
My app is using React on the front end and Laravel 5.4 on the backend. I'm using fetch() to request data from the backend. The problem is that two sessions are created when the page loads. A TokenMismatchException is thrown by the CSRF Middleware when a POST request is made because the token that is sent matches the first session that is created, but it checks against the second.
I'm setting the token in app.blade.php
<meta name="_token" content="{{ csrf_token() }}">
And grabbing the token in the fetch config
fetchConfig = {
headers: {
'Content-Type': 'application/json',
'Accept': 'application/json',
'X-CSRF-TOKEN': $('meta[name="_token"]').attr('content')
},
credentials: 'same-origin'
}}
Here are the decrypted sessions:
a:3:{s:6:"_token";s:40:"7obvOzPaqqJDtVdij8RaqrvmTFLjKA2qnvYMxry6";s:9:"_previous";a:1:{s:3:"url";s:24:"http://localhost/page";}s:6:"_flash";a:2:{s:3:"old";a:0:{}s:3:"new";a:0:{}}}
a:3:{s:6:"_token";s:40:"5Aiws9Qy72YzlkfWX81zkhzrSeiMDYjFWiLeDAwN";s:9:"_previous";a:1:{s:3:"url";s:41:"http://localhost/api/page";}s:6:"_flash";a:2:{s:3:"old";a:0:{}s:3:"new";a:0:{}}}
Request URL: http://localhost/page
API URL: http://localhost/api/page
How can I prevent a new session from being created when the React app makes its initial GET request?
Laravel automatically generates a CSRF "token" for each active user session managed by the application. This token is used to verify that the authenticated user is the one actually making the requests to the application. : https://laravel.com/docs/5.4/csrf
APIs are stateless. There is nothing like session in APIs. So you shouldn't use CSRF token in API. If you check Kernel.php of laravel. You will see Tylor didn't add VerifyCsrf middleware in API group. Which suggest that CSRF is only used in the request having session i.e, stateful request. I would recommend you to use JWT based authentication system for API. For more about JWT check here.
You can use this laravel package for JWT : https://github.com/tymondesigns/jwt-auth
I'm not sure what is your request URL and what is your target API url. Make sure both are on same domain(including subdomain).
I think its a good idea to disable CSRF validation only for API routes as these might be used by other domains, native apps etc
You can do that by adding following class file: app/Http/Middleware/VerifyCsrfToken.php
<?php
namespace App\Http\Middleware;
use Illuminate\Foundation\Http\Middleware\VerifyCsrfToken as BaseVerifier;
class VerifyCsrfToken extends BaseVerifier
{
/**
* The URIs that should be excluded from CSRF verification.
*
* #var array
*/
protected $except = [
'api/*',
];
}
Make sure to edit Kernal.php to point to the new class:
protected $middleware = [
'csrf' => 'App\Http\Middleware\VerifyCsrfToken'
];
To learn more how Laravel uses CSRF check this laracast video
I use this package = https://github.com/aacotroneo/laravel-saml2
I configured everything in the SP and iDP sections in saml2_settings.php as instructed.
STEPS
I go to : /admin/login
I got redirected and landed on my iDP log-in page immediately, it is a correct behavior.
I log-in with the proper username and password.
After successfully authenticated by my iDP, I got the SAML Response from my iDP like this sample
{
"SAMLResponse": "PHNhbWxwOlJlc3BvbnNlIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6\r\nU0FNTDoyLjA6cHJvdG9jb2wiIERlc3RpbmF0aW9uPSJodHRwczovL3Rlc3RzZXJ2\r\nZXIuYmVudW5ldHMuY29tL2FkbWluL3NlY3VyZS9kYXNoYm9hcmQiIElEPSJpZC1C\r\nNlBFSnhLNFhGWUg3T1hzbGZLU2trbGt0YmMtIiBJblJlc3BvbnNlVG89Ik9ORUxP\r\nR0lOXzIxNjFiNTA1OTFmNjc1ZmUzZGM0MmZlYzRlZDJkOGU1MWRlZmQ2ZmQiIElz\r\nc3VlSW5zdGFudD0iMjAxNy0wMy0yOFQxOTozMzo1M1oiIFZlcnNpb249IjIuMCI+\r\nPHNhbWw6SXNzdWVyIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1M\r\nOjIuMDphc3NlcnRpb24iIEZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6\r\nMi4wOm5hbWVpZC1mb3JtYXQ6ZW50aXR5Ij5UZWxlbmV0PC9zYW1sOklzc3Vlcj48\r\nc2FtbHA6U3RhdHVzPjxzYW1scDpTdGF0dXNDb2RlIFZhbHVlPSJ1cm46b2FzaXM6\r\nbmFtZXM6dGM6U0FNTDoyLjA6c3RhdHVzOlN1Y2Nlc3MiLz48L3NhbWxwOlN0YXR1\r\ncz48c2FtbDpBc3NlcnRpb24geG1sbnM6c2FtbD0idXJuOm9hc2lzOm5hbWVzOnRj\r\nOlNBTUw6Mi4wOmFzc2VydGlvbiIgSUQ9ImlkLThvWVBULWlwVFZhR2UwSHpwRGdS\r\nSEoyWEp4Zy0iIElzc3VlSW5zdGFudD0iMjAxNy0wMy0yOFQxOTozMzo1M1oiIFZl\r\ncnNpb249IjIuMCI+PHNhbWw6SXNzdWVyIEZvcm1hdD0idXJuOm9hc2lzOm5hbWVz\r\nOnRjOlNBTUw6Mi4wOm5hbWVpZC1mb3JtYXQ6ZW50aXR5Ij5UZWxlbmV0PC9zYW1s\r\nOklzc3Vlcj48ZHNpZzpTaWduYXR1cmUgeG1sbnM6ZHNpZz0iaHR0cDovL3d3dy53\r\nMy5vcmcvMjAwMC8wOS94bWxkc2lnIyI+PGRzaWc6U2lnbmVkSW5mbz48ZHNpZzpD\r\nYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5v\r\ncmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8+PGRzaWc6U2lnbmF0dXJlTWV0aG9k\r\nIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI3Jz\r\nYS1zaGExIi8+PGRzaWc6UmVmZXJlbmNlIFVSST0iI2lkLThvWVBULWlwVFZhR2Uw\r\nSHpwRGdSSEoyWEp4Zy0iPjxkc2lnOlRyYW5zZm9ybXM+PGRzaWc6VHJhbnNmb3Jt\r\nIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI2Vu\r\ndmVsb3BlZC1zaWduYXR1cmUiLz48ZHNpZzpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJo\r\ndHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiLz48L2RzaWc6\r\nVHJhbnNmb3Jtcz48ZHNpZzpEaWdlc3RNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8v\r\nd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjc2hhMSIvPjxkc2lnOkRpZ2VzdFZh\r\nbHVlPitTQkNSRjNTenZvMzgxVlJ0dWcvRUJvallCUT08L2RzaWc6RGlnZXN0VmFs\r\ndWU+PC9kc2lnOlJlZmVyZW5jZT48L2RzaWc6U2lnbmVkSW5mbz48ZHNpZzpTaWdu\r\nYXR1cmVWYWx1ZT5SaWt5czdsQWNOc250ZlVkZVg0dC9jWjBRelRyRTNGc3RTempx\r\nZDEyaU5sUGpJVkxJVitHTXM1UXQ3U2ZUbXJaMk9oVnF1RUxZUkhuOTY5SHArZFhU\r\ndlYwaEQ5ZHQ5a3NSVE9wbTdnSkN5bzF2MlVhckpMSzdGRCtPZ1N3Y3kwNW9VSWhp\r\nNFV1ajRweGFoMzlrZzZlZUpTZHhtMHNiejBKNUM1bmZRSnhyYWMvOVBDVVJjQkpC\r\nSVJCOExTeGlJemdFTS9VQWkwaEIwdmdTZ0pqRzlSb05Wd2V1S0J6MWlGM0I0NzU2\r\ndXVjVmtOL1dvcG4rdWVwMVlDaEFlRGs3ZlcyUzR2anlocGJWa05STC81MDRUMVFR\r\nRTFhZ3JQdzdPREFvalhpaUZpaGtTbEZJUGxtMVlNY0k4UXdmOExCUXNHUTI4TTZC\r\ncFBya3ROQ0QwdjhxOVRjSnc9PTwvZHNpZzpTaWduYXR1cmVWYWx1ZT48ZHNpZzpL\r\nZXlJbmZvPjxkc2lnOlg1MDlEYXRhPjxkc2lnOlg1MDlDZXJ0aWZpY2F0ZT5NSUlG\r\nRURDQ0EvaWdBd0lCQWdJU0VTR1BVRnY2bnJkejlNUWhQZFVIb2dHTk1BMEdDU3FH\r\nU0liM0RRRUJDd1VBTUdBeEN6QUpCZ05WQkFZVEFrSkZNUmt3RndZRFZRUUtFeEJI\r\nYkc5aVlXeFRhV2R1SUc1MkxYTmhNVFl3TkFZRFZRUURFeTFIYkc5aVlXeFRhV2R1\r\nSUVSdmJXRnBiaUJXWVd4cFpHRjBhVzl1SUVOQklDMGdVMGhCTWpVMklDMGdSekl3\r\nSGhjTk1UVXdOREE1TVRVek9ETXlXaGNOTVRnd05qSTFNRFkwTWpRNFdqQlBNU0V3\r\nSHdZRFZRUUxFeGhFYjIxaGFXNGdRMjl1ZEhKdmJDQldZV3hwWkdGMFpXUXhLakFv\r\nQmdOVkJBTVRJWGRzYzA5ellrMXVaMlJXYVhBdWRXRjBMbU52Y25BdWRHVnNaVzVs\r\nZEM1aVpUQ0NBU0l3RFFZSktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VC\r\nQU1ESXRxSVRZUmRoY1dvOGZteW8wWlVRd0xmQ3doN2c4QndSQStFT2xuTUFLcXRX\r\nMG4vZ3JCRTRadThrQVZUNVpJUTlBZVU3STJNR0FOeks2MTBqU2ZRbWtHRElTUjF3\r\nWXBDbms2b1hxNWhQcFlHblJmRmtURW84d1VwZ1BXc3ZyTVR0RW9MeEVHdU1lZTYr\r\nd05RVXpsN1BHTEpGdkwvcE9QZ095Y2k3Sjh2U2d4ZVB3RFlURUJEa3RYOWtnRlBZ\r\ncXlVcVBTck94aDcyWmsrUFZjaHlVWDNzTFIrZ2VkcTFWQ2lISWdwQUVLMjNxL05W\r\nZlEwakRTaUhaMmZOc1lZdng3c1RlL0crR0w2djRnamxDNit5ODZ4U3lOZGFteHkv\r\nMmRPbGEyM2lWRDNoQ1d6amM1ZnpKTkc3OVRpUGVteWR1akhUcFg4MXhhUWs5aDFM\r\nUHRibzBzTUNBd0VBQWFPQ0FkTXdnZ0hQTUE0R0ExVWREd0VCL3dRRUF3SUZvREJK\r\nQmdOVkhTQUVRakJBTUQ0R0JtZUJEQUVDQVRBME1ESUdDQ3NHQVFVRkJ3SUJGaVpv\r\nZEhSd2N6b3ZMM2QzZHk1bmJHOWlZV3h6YVdkdUxtTnZiUzl5WlhCdmMybDBiM0o1\r\nTHpBc0JnTlZIUkVFSlRBamdpRjNiSE5QYzJKTmJtZGtWbWx3TG5WaGRDNWpiM0p3\r\nTG5SbGJHVnVaWFF1WW1Vd0NRWURWUjBUQkFJd0FEQWRCZ05WSFNVRUZqQVVCZ2dy\r\nQmdFRkJRY0RBUVlJS3dZQkJRVUhBd0l3UXdZRFZSMGZCRHd3T2pBNG9EYWdOSVl5\r\nYUhSMGNEb3ZMMk55YkM1bmJHOWlZV3h6YVdkdUxtTnZiUzluY3k5bmMyUnZiV0Zw\r\nYm5aaGJITm9ZVEpuTWk1amNtd3dnWlFHQ0NzR0FRVUZCd0VCQklHSE1JR0VNRWNH\r\nQ0NzR0FRVUZCekFDaGp0b2RIUndPaTh2YzJWamRYSmxMbWRzYjJKaGJITnBaMjR1\r\nWTI5dEwyTmhZMlZ5ZEM5bmMyUnZiV0ZwYm5aaGJITm9ZVEpuTW5JeExtTnlkREE1\r\nQmdnckJnRUZCUWN3QVlZdGFIUjBjRG92TDI5amMzQXlMbWRzYjJKaGJITnBaMjR1\r\nWTI5dEwyZHpaRzl0WVdsdWRtRnNjMmhoTW1jeU1CMEdBMVVkRGdRV0JCVG40ckhR\r\nMFF3MzhaTDdWTm1JSjVzWGpFeC85VEFmQmdOVkhTTUVHREFXZ0JUcVRuelVnQzNs\r\nRllHR0pveUNiY0NZcE0rWER6QU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFIUHRY\r\nL2EvRXA4MWhWWnF0MWlKN1ArZ0dZaWhRL1pJRjNUMmdkMDlia0lIVjBUemNPQjhW\r\nQTM0ODdTSno4QkNCektkS2Jncng5K25uY2hYMlZrYURaNisySTM0a0ROczF3UDlW\r\nOUVxMlZKQTdudDk0S3ZqWWU2bjlidm5ZL1JPclNOSmxURVRNYkRSRWp1WEErMEp4\r\nczN4SFFQS1RvRUxkZHJROUxjWUw3ZEhEOUNuVHEreEkremlXWVVySWFPN1VHc1p3\r\nZ2tSa1BFZ201cnFyTjBndiswVVFXMEJra21BM1RuR2VDV2dRMVFRUHdKSzU3OVpw\r\nZ2R3VVNBTlZ0LzFpc2RrUzhmbGcrclBOUXljNnBZMUdMbFd5WEI5Y3FrRVpsamt4\r\nM2NUVmVKY01JSmtwRE4yRERpUHg4L1lPZUFwV05aNG9CVTRkc3FwSFVZLzFiUEZq\r\nL2c9PTwvZHNpZzpYNTA5Q2VydGlmaWNhdGU+PC9kc2lnOlg1MDlEYXRhPjwvZHNp\r\nZzpLZXlJbmZvPjwvZHNpZzpTaWduYXR1cmU+PHNhbWw6U3ViamVjdD48c2FtbDpO\r\nYW1lSUQgRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6bmFtZWlk\r\nLWZvcm1hdDp0cmFuc2llbnQiIE5hbWVRdWFsaWZpZXI9IlRlbGVuZXQiIFNQTmFt\r\nZVF1YWxpZmllcj0idGVzdHNlcnZlci5iZW51bmV0cy5jb20iPmlkLUFRT3pzZ0pE\r\nUU1BbG8zdmxvS2NINVRSd1BmMC08L3NhbWw6TmFtZUlEPjxzYW1sOlN1YmplY3RD\r\nb25maXJtYXRpb24gTWV0aG9kPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6\r\nY206YmVhcmVyIj48c2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uRGF0YSBJblJlc3Bv\r\nbnNlVG89Ik9ORUxPR0lOXzIxNjFiNTA1OTFmNjc1ZmUzZGM0MmZlYzRlZDJkOGU1\r\nMWRlZmQ2ZmQiIE5vdE9uT3JBZnRlcj0iMjAxNy0wMy0yOFQxOTo0ODo1M1oiIFJl\r\nY2lwaWVudD0iaHR0cHM6Ly90ZXN0c2VydmVyLmJlbnVuZXRzLmNvbS9hZG1pbi9z\r\nZWN1cmUvZGFzaGJvYXJkIi8+PC9zYW1sOlN1YmplY3RDb25maXJtYXRpb24+PC9z\r\nYW1sOlN1YmplY3Q+PHNhbWw6Q29uZGl0aW9ucyBOb3RCZWZvcmU9IjIwMTctMDMt\r\nMjhUMTk6MzM6NTNaIiBOb3RPbk9yQWZ0ZXI9IjIwMTctMDMtMjhUMTk6Mzg6NTNa\r\nIj48c2FtbDpBdWRpZW5jZVJlc3RyaWN0aW9uPjxzYW1sOkF1ZGllbmNlPnRlc3Rz\r\nZXJ2ZXIuYmVudW5ldHMuY29tPC9zYW1sOkF1ZGllbmNlPjwvc2FtbDpBdWRpZW5j\r\nZVJlc3RyaWN0aW9uPjwvc2FtbDpDb25kaXRpb25zPjxzYW1sOkF1dGhuU3RhdGVt\r\nZW50IEF1dGhuSW5zdGFudD0iMjAxNy0wMy0yOFQxOTozMzo1M1oiIFNlc3Npb25J\r\nbmRleD0iaWQtWEVRcWVNZFRiRHRaLXNhaFN4ZnNYdVA2MWlJLSIgU2Vzc2lvbk5v\r\ndE9uT3JBZnRlcj0iMjAxNy0wMy0yOFQyMDozMzo1M1oiPjxzYW1sOkF1dGhuQ29u\r\ndGV4dD48c2FtbDpBdXRobkNvbnRleHRDbGFzc1JlZj51cm46b2FzaXM6bmFtZXM6\r\ndGM6U0FNTDoyLjA6YWM6Y2xhc3NlczpQYXNzd29yZFByb3RlY3RlZFRyYW5zcG9y\r\ndDwvc2FtbDpBdXRobkNvbnRleHRDbGFzc1JlZj48L3NhbWw6QXV0aG5Db250ZXh0\r\nPjwvc2FtbDpBdXRoblN0YXRlbWVudD48L3NhbWw6QXNzZXJ0aW9uPjwvc2FtbHA6\r\nUmVzcG9uc2U+\r\n",
"RelayState": "https://testserver.benunets.com/admin/login"
}
kernel.php
I can only see this response only because I comment out my CFRF token on my app/Http/kernel.php
// \App\Http\Middleware\VerifyCsrfToken::class,
ROUTE
Route::post('admin/secure/dashboard', 'SAMLController#post');
CONTROLLER
public function post(){
return Input::all();
}
What is the best practice to deal with SAML POST and still maintaining CSRF protection ?
Should I create a middleware or anything similar to that ?
You may exclude your endpoint by adding it to the $except property of the VerifyCsrfToken middleware.
After that you may want to add your own middleware to check if the post request came from an origin you explicitly accept.
The documentation of the package also states that you should configure a middleware group in te config which at least needs the StartSession middleware. So you can make a special middleware-group which excludes the VerifyCsrfToken middleware. However, I do believe it would be better to exclude the endpoint, and add your own middleware check.
Also, you are referencing the url admin/secure/dashboard. Are you using this for debugging the POST request? Because I believe the actual endpoint for iDP needs to be https://your-url.com/saml2/acs (unless you changed the default configuration). This page will use the post data to trigger an event with which you can login the appropriate user.