We Keep Coding

Laravel Paypal POST request is rejected

I'm trying to implement IPN in my Laravel project, a post request from my website is working thanks to "csrf",
i try to implement it like written here:
https://developer.paypal.com/docs/api-basics/notifications/ipn/ht-ipn/
in my routes/web.php:
Route::post('i', [IController::class, 'y'])->name('i');
and in IController whats written on the side:
public function y()
{
error_log('function y called');
// STEP 1: read POST data
// Reading POSTed data directly from $_POST causes serialization issues with array data in the POST.
// Instead, read raw POST data from the input stream.
$raw_post_data = file_get_contents('php://input');............
The error_log doesn't show up, means the function is never entered.
Question: How can i force Laravel to except POSTS From Paypal?

You can Exclude URIs From CSRF Protection in laravel.
Goto App\Http\Middleware\VerifyCsrfToken and add url which you want to exclude csrf token.
<?php
namespace App\Http\Middleware;
use Illuminate\Foundation\Http\Middleware\VerifyCsrfToken as Middleware;
class VerifyCsrfToken extends Middleware
{
/**
* The URIs that should be excluded from CSRF verification.
*
* #var array
*/
protected $except = [
'i',
];
}
As document says
Sometimes you may wish to exclude a set of URIs from CSRF protection.
For example, if you are using Stripe to process payments and are
utilizing their webhook system, you will need to exclude your Stripe
webhook handler route from CSRF protection since Stripe will not know
what CSRF token to send to your routes.
Typically, you should place these kinds of routes outside of the web
middleware group that the App\Providers\RouteServiceProvider applies
to all routes in the routes/web.php file. However, you may also
exclude the routes by adding their URIs to the $except property of the
VerifyCsrfToken middleware:
Ref:https://laravel.com/docs/8.x/csrf#csrf-excluding-uris

laravel route:any page expired to inactivity

I am using in laravel 5.5 a route for Any:
Route::any('/', 'HomeController#index')->name('homepage');
The route should be a GET one, but because of a third provider which redirect with a POST i had to change it to any;
The problem is when redirect is made from the third party (with post) now i get:
The page has expired due to inactivity.
Please refresh and try again.
this is because of the {{ csrf_field() }}
How can i pass the csrf_field and make that route act as a GET one even if i get a POST request?

Note: Do not disable CSRF protection unless you know what you are doing. I only suggest this because it appears they are not actually POSTing any data to the application on this route.
You can exclude URIs from CSRF protection by adding the URI to the $except array in the VerifyCsrfToken middleware:
https://laravel.com/docs/5.6/csrf#csrf-excluding-uris
protected $except = [
'/',
];

Just add csrf() inside your forms tag.

CakePHP 3 Security component and Form Fields using VueJS

I'm creating an application using Vue.js and CakePHP 3.6.
When POST, security component throws a 400 error because the _Token fields are missing. I don't have problems with CSRF token, just form security validation.
I don't wanna disable the component in the whole application.
I found a non-solution: Expose _buildFieldToken from the Cake\View\Helper\SecureFieldTokenTrait but I think this will avoid the SecurityComponent purpose.
Any help are really welcome and appriciated.

The action in the controller (example: ajaxRequest) that you need access by fetch or axios, could be unlocked, in the controller:
if you have generated the form with the cake helpers, the _CSRFTOKEN is in the form label or hidden input (sorry inspect the Form element in the browser), when you have localized the token, add this in the data of .$post().
ajax request cakephp
public function beforeFilter(Event $event)
{
//this line is not necessary if you pass the _csrfToken
$this->getEventManager()->off($this->Csrf);
$this->Security->setConfig('unlockedActions', ['ajaxRequest']);
}

Pusher add CSRF token to form data

I'm trying to implement private channel authorization with Pusher and Laravel.
The forms require a CSRF input field (randomized input name and value). Normally I use twig to insert them into the forms I put on the page.
How can I insert the csrf fields into the form data that Pusher sends when it tries to connect to the auth endpoint? It isn't present in the form data (but is present in the request header), so it's getting rejected by the laravel CSRF middleware.

If you're using Laravel, this isn't necessary, you shouldn't implement your auth endpoint like this. Your auth endpoint should be defined inside channels.php in the routes folder. For example
// routes/channels.php
Broadcast::channel('chat', function ($user) {
return Auth::check();
});
CSRF not necessary.

CSRF Codeigniter 3 Validation

I've been reading about the crsf protection in codeigniter, but I can't seem to find a decent tutorial on how to proceed after enabling csrf in the config file.
I have a form generated by a controller function users/create that submits to another function users/submit_new.
I used the form helper class so that the crsf field is automatically generated.
I have this validation function on the submit function:
if ($this->input->post(get_csrf_token_name()) == get_csrf_hash()) {
$this->users_model->create(); }
But all I get is action not allowed error.
What is the right way to validate csrf? Or am I doing something wrong?

If you're using CodeIgniter CSRF the way the user guide mentions, by setting:
$config['csrf_protection'] = TRUE; // this in application/config/config.php
And you are also using the form helper to generate your form open tag, then you do not need to check for the token and hash the way you are doing. CodeIgniter does this for you.
Read the docs: https://www.codeigniter.com/user_guide/libraries/security.html#cross-site-request-forgery-csrf
If you still have problems, then see related questions:
codeigniter CSRF error: "The action you have requested is not allowed."
Action you have requested is not allowed error