My app is using React on the front end and Laravel 5.4 on the backend. I'm using fetch() to request data from the backend. The problem is that two sessions are created when the page loads. A TokenMismatchException is thrown by the CSRF Middleware when a POST request is made because the token that is sent matches the first session that is created, but it checks against the second.
I'm setting the token in app.blade.php
<meta name="_token" content="{{ csrf_token() }}">
And grabbing the token in the fetch config
fetchConfig = {
headers: {
'Content-Type': 'application/json',
'Accept': 'application/json',
'X-CSRF-TOKEN': $('meta[name="_token"]').attr('content')
},
credentials: 'same-origin'
}}
Here are the decrypted sessions:
a:3:{s:6:"_token";s:40:"7obvOzPaqqJDtVdij8RaqrvmTFLjKA2qnvYMxry6";s:9:"_previous";a:1:{s:3:"url";s:24:"http://localhost/page";}s:6:"_flash";a:2:{s:3:"old";a:0:{}s:3:"new";a:0:{}}}
a:3:{s:6:"_token";s:40:"5Aiws9Qy72YzlkfWX81zkhzrSeiMDYjFWiLeDAwN";s:9:"_previous";a:1:{s:3:"url";s:41:"http://localhost/api/page";}s:6:"_flash";a:2:{s:3:"old";a:0:{}s:3:"new";a:0:{}}}
Request URL: http://localhost/page
API URL: http://localhost/api/page
How can I prevent a new session from being created when the React app makes its initial GET request?
Laravel automatically generates a CSRF "token" for each active user session managed by the application. This token is used to verify that the authenticated user is the one actually making the requests to the application. : https://laravel.com/docs/5.4/csrf
APIs are stateless. There is nothing like session in APIs. So you shouldn't use CSRF token in API. If you check Kernel.php of laravel. You will see Tylor didn't add VerifyCsrf middleware in API group. Which suggest that CSRF is only used in the request having session i.e, stateful request. I would recommend you to use JWT based authentication system for API. For more about JWT check here.
You can use this laravel package for JWT : https://github.com/tymondesigns/jwt-auth
I'm not sure what is your request URL and what is your target API url. Make sure both are on same domain(including subdomain).
I think its a good idea to disable CSRF validation only for API routes as these might be used by other domains, native apps etc
You can do that by adding following class file: app/Http/Middleware/VerifyCsrfToken.php
<?php
namespace App\Http\Middleware;
use Illuminate\Foundation\Http\Middleware\VerifyCsrfToken as BaseVerifier;
class VerifyCsrfToken extends BaseVerifier
{
/**
* The URIs that should be excluded from CSRF verification.
*
* #var array
*/
protected $except = [
'api/*',
];
}
Make sure to edit Kernal.php to point to the new class:
protected $middleware = [
'csrf' => 'App\Http\Middleware\VerifyCsrfToken'
];
To learn more how Laravel uses CSRF check this laracast video
Related
I'm trying to implement IPN in my Laravel project, a post request from my website is working thanks to "csrf",
i try to implement it like written here:
https://developer.paypal.com/docs/api-basics/notifications/ipn/ht-ipn/
in my routes/web.php:
Route::post('i', [IController::class, 'y'])->name('i');
and in IController whats written on the side:
public function y()
{
error_log('function y called');
// STEP 1: read POST data
// Reading POSTed data directly from $_POST causes serialization issues with array data in the POST.
// Instead, read raw POST data from the input stream.
$raw_post_data = file_get_contents('php://input');............
The error_log doesn't show up, means the function is never entered.
Question: How can i force Laravel to except POSTS From Paypal?
You can Exclude URIs From CSRF Protection in laravel.
Goto App\Http\Middleware\VerifyCsrfToken and add url which you want to exclude csrf token.
<?php
namespace App\Http\Middleware;
use Illuminate\Foundation\Http\Middleware\VerifyCsrfToken as Middleware;
class VerifyCsrfToken extends Middleware
{
/**
* The URIs that should be excluded from CSRF verification.
*
* #var array
*/
protected $except = [
'i',
];
}
As document says
Sometimes you may wish to exclude a set of URIs from CSRF protection.
For example, if you are using Stripe to process payments and are
utilizing their webhook system, you will need to exclude your Stripe
webhook handler route from CSRF protection since Stripe will not know
what CSRF token to send to your routes.
Typically, you should place these kinds of routes outside of the web
middleware group that the App\Providers\RouteServiceProvider applies
to all routes in the routes/web.php file. However, you may also
exclude the routes by adding their URIs to the $except property of the
VerifyCsrfToken middleware:
Ref:https://laravel.com/docs/8.x/csrf#csrf-excluding-uris
I want to implement socket with Echo in laravel. I have an API beside my main laravel project. In my laravel project all events are triggered and sockets working correctly. But in API it doesn't work and it returns 419 error. Client can not be authenticated, got HTTP status 419. I figured out that it needs CSRF token however in API we don't have it. By the way when I comment \App\Http\Middleware\VerifyCsrfToken::class in App\Http\Kernel.php it works!
How can I add it to an exception that if an user sending request to API not to verify its CSRF token?
Btw, you can put URIs that you want to make as exception inside this file app/Http/Middleware/VerifyCsrfToken.php at following line:
/**
* The URIs that should be excluded from CSRF verification.
*
* #var array
*/
protected $except = [
//
];
Those URIs under $except property will be ignore
So I have an application that sends an AJAX request to an external server which does some stuff then makes a post call to the laravel application that made the initial call.
So I am trying to do a POST call to the laravel application. Now from the AJAX request i am sending the csrf_token()
Here are the headers I've put into my post request:
X-CSRF-TOKEN: LO8Dg7j1jZssXXGSLIa8inBgh2Y1QSsp6Birc1Ui
X-Requested-With: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded
That token belongs to the logged in user that made the AJAX request. Now the problem i'm getting is from this i get a TokenMismatchException500 error.
Is there something else I need to do in my external post calls headers in order to not encounter this error?
As i've got the CSRF token i am using a rest client to try send a test post using those headers and I get the same error?
The aim is on the recieving laravel app controller will then be able to use the token and i'll be able to use $request->user(); to get the user.
Note the recieving route has the web middleware attached to it.
Since you are making request from another server external url.Because of this you are getting erorr.Csrf token works with the same application not working if you try to exicute from other application. so you can disable csrf token.
if you want to disable token for all request then add this in VerifyCsrfToken
protected $except = [
'/*',
];
Excluding URIs From CSRF Protection
Sometimes you may wish to exclude a set of URIs from CSRF protection. For example, if you are using Stripe to process payments and are utilizing their webhook system, you will need to exclude your Stripe webhook handler route from CSRF protection since Stripe will not know what CSRF token to send to your routes.
Typically, you should place these kinds of routes outside of the web middleware group that the RouteServiceProvider applies to all routes in the routes/web.php file. However, you may also exclude the routes by adding their URIs to the $except property of the VerifyCsrfToken middleware:
<?php
namespace App\Http\Middleware;
use Illuminate\Foundation\Http\Middleware\VerifyCsrfToken as BaseVerifier;
class VerifyCsrfToken extends BaseVerifier
{
/**
* The URIs that should be excluded from CSRF verification.
*
* #var array
*/
protected $except = [
'stripe/*',
];
}
Ref:
https://laravel.com/docs/5.5/csrf
I am trying to create a RESTful API by using Laravel. I have created my controller using php artisan make:controller RestController and this is my controller code:
<?php
namespace App\Http\Controllers;
use Illuminate\Http\Request;
class RestController extends Controller
{
private $arr = array(
array("name"=>"jon", "family"=>"doe"),
array("name"=>"jhon", "family" => "doue")
);
public function index(){
return json_encode($this->arr);
}
public function store(Request $request){
return "oops!!";
}
public function update (Request $request, $id){
return "test";
}
}
I have added this line of code to create this route in my routes/web.php file:
Route::resource('person', 'RestController');
When I try to test this api on GET /person it works fine but on POST and PUT I am getting a 419 status code from Laravel.
If you are developing REST APIs, you better not add tokens. If you are using 5.4 or 5.5 you can use api.php instead of web.php. In api.php you don't need token verification on post requests.
If you are using web.php, then you can exclude routes that you don't want to validate with CSRF Tokens.
Here is the official documentation:
Excluding URIs From CSRF Protection
Sometimes you may wish to exclude a set of URIs from CSRF protection. For example, if you are using Stripe to process payments and are utilizing their webhook system, you will need to exclude your Stripe webhook handler route from CSRF protection since Stripe will not know what CSRF token to send to your routes.
Typically, you should place these kinds of routes outside of the web middleware group that the RouteServiceProvider applies to all routes in the routes/web.php file. However, you may also exclude the routes by adding their URIs to the $except property of the VerifyCsrfToken middleware:
<?php
namespace App\Http\Middleware;
use Illuminate\Foundation\Http\Middleware\VerifyCsrfToken as BaseVerifier;
class VerifyCsrfToken extends BaseVerifier
{
/**
* The URIs that should be excluded from CSRF verification.
*
* #var array
*/
protected $except = [
'stripe/*',
'http://example.com/foo/bar',
'http://example.com/foo/*',
];
}
For reference https://laravel.com/docs/5.5/csrf
As per my Knowledge there are two methods to solve this
Method 1: Add CsrF Token
Method 2: Exclude URIs from CSRF protection
How to use
Method 1: Add one more variable to your POST request
_token: "{{ csrf_token() }}"
Example for Ajax
req = $.ajax({
type: "POST",
url: "/search",
data: {
"key": "value",
_token: "{{ csrf_token() }}",
},
dataType: "text",
success: function(msg) {
// ...
}
});
Example if you using forms
<input type="hidden" name="_token" id="token" value="{{ csrf_token() }}">
Method 2: There is a file named VerifyCsrfToken in following location
yourProjectDirectory/app/Http/Middleware
Add your URL in following method
protected $except = [
'url1/',
'url2/',
];
When To use
If you are the owner(full control) of API, use Method 1, as CSRF Token adds security to your application.
If you are unable to add CSRF Token like in case if you are using any third party API's, webhooks etc., then go for Method 2.
This can solve by excluding csrf protection of specific route you want to.
Inside your middleware folder, edit the file called VerifyCsrfToken.php
protected $except = [
'http://127.0.0.1:8000/person/'
];
I solved this problem by changing my server cache setting.
You can disable all of your caching systems (Nginx, Cloudflare, ...) to check it and then
turn it on by applying QueryString + Cookie to prevent caching a page with old csrf token in it.
I had the same issue when did POST requests to a Laravel API.
I solved the issue sending Accept: application/json in the headers request.
I am currently porting a codebase to more RESTful pattern so that I can run a mobile app and a web application from a single API.
I know laravel 5.3 now implements Laravel Passport, but how can I consume my own API, i.e a user signs up gets an authentication token / api token and then each requests to the server checks against that token, so far I have the following, in my api routes,
Route::group(['middleware' => 'auth:api'], function () {
Route::get('classes', 'ClassController#index');
Route::get('classes/{id}', 'ClassController#show');
Route::post('classes', 'ClassController#create');
Route::put('classes', 'ClassController#edit');
Route::delete('classes', 'ClassController#destroy');
});
In my Http/kernal.php I have added,
\Laravel\Passport\Http\Middleware\CreateFreshApiToken::class
To my $middleWareGroups array.
So how do I generate an authentication key for my user, i.e when they login how do I add a token to that user?
I'm answering this for future users who come here because their API is responding "not authenticated" while trying to consume their own API.
OPs question: "So how do I generate an authentication key for my user, i.e when they login how do I add a token to that user?"
Answer: If you consume your own API via the CreateFreshAPIToken middleware, you don't need to generate a special authentication key / token. The authentication is done via the "laravel_token" cookie which is appended to your responses when adding CreateFreshApiToken middleware.
This embedded token is decrypted by passport when receiving a request with this cookie sent.
For people who still get the "not authenticated" message after following all steps from the docs for consuming their own API:
The whole concept won't work if the Laravel Middleware Illuminate\Cookie\Middleware\EncryptCookies is not defined for your route groups.
This information is not provided by the docs. It totally makes sense though. The cookie can't be decrypted, if it was never encrypted so there will always be an DecryptException in the TokenGuard provided by Passport.
This middleware is by default configured for all requests, looking something like this in your Kernel.php:
class Kernel extends HttpKernel
{
/**
* The application's global HTTP middleware stack.
*
* These middleware are run during every request to your application.
*
* #var array
*/
protected $middleware = [
\Illuminate\Foundation\Http\Middleware\CheckForMaintenanceMode::class,
\Illuminate\Foundation\Http\Middleware\ValidatePostSize::class,
\App\Http\Middleware\TrimStrings::class,
\App\Http\Middleware\EncryptCookies::class,
\Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse::class,
\Illuminate\Session\Middleware\StartSession::class,
];
}
If it's not, you should add it.
Hope I could help some folks landing here after hours with tears in their eyes.
To consume your own api, with other frontend framework, you'll need to add a request header to each AJAX request: set the header X-CSRF-TOKEN equal to the CSRF token for that page.
Eg : With Javascript
$.ajax({
url: $url,
headers:{'X-CSRF-TOKEN': Laravel.csrfToken},
type: $type,
dataType: $dataType,
async: $async,
data: $data,
});