Laravel CSRF protection with REST API

api rest laravel csrf

17,368

Solution 1

In your App\Http\Middleware\VerifyCsrfToken

you will have such a class, add your routes to the $except

namespace App\Http\Middleware;

use Illuminate\Foundation\Http\Middleware\VerifyCsrfToken as BaseVerifier;

class VerifyCsrfToken extends BaseVerifier
{
  protected $except = [
    'shows/*',
    'episode/*',
    'genre/*',
  ];
}

Solution 2

You should consider using different middleware groups for Your web and api layers. Laravel by default, depending on version You are using, uses web middleware group.

If You are not having line like this Route::group(['middleware' => 'web'], function () { in Your routes.php file, then Your laravel version is that one which uses it by default. Check Your RouteServiceProvider.php file for this line: https://github.com/laravel/laravel/blob/master/app/Providers/RouteServiceProvider.php#L56.

If presented, remove 'middleware' => 'web' part and group routes Yourself in routes.php. Then use web middleware for part where You need sessions, csrf and other stuff, and use api middleware where You don't need these things (api middleware group does not include sessions, encrypted cookies and csrf verifications).

17,368

Author by

Vijayanand Premnath

Updated on June 08, 2022

Comments

Vijayanand Premnath almost 2 years
I have this code at the top of my routes file
```
Route::when('*', 'csrf', array('post', 'put', 'delete'));
```
When I testing my RESTful API layer I get token mismatch error. How to solve this?

I use CSRF protection for regular form submissions a user might do. But how would that work for an API? I have my API calls grouped after my regular routes as below
```
Route::group(array('prefix' => 'api'), function () {
Route::resource('shows', 'ShowsApiController');
Route::resource('episode', 'EpisodesApiController');
Route::resource('genre', 'GenresApiController');
});
```
Vijayanand Premnath about 8 years

Is there any possibility to disable in a specific controller
Achraf Khouadja about 8 years

can you close/answer the question if you have found a solution
Giedrius Kiršys about 8 years

It's OK to add csrf exceptions, but this is not the right way to deal with API. Why this is not the right way to do API: cookies will be added to response - breaking stateless concept; laravel will try to start session - loosing some expensive time; You will have to do two times more testing when adding new middleware in web group; If You think about throttling, eventually You will need to migrate to API middleware group. Just my two cents.
Achraf Khouadja about 8 years

to me, it seems like you have a better solution, yet sometimes people dosent care about the "stateless concept" or (INSERT A COMPLICATED BEST PRACTICE TERM HERE) , im not saying that they are bad or something but working with small apps dosent need to make things a bit more complicated
Giedrius Kiršys about 8 years

I agree with You about small apps, keeping them simple is crucial. But here comes another important part: if You are doing everything as simple as possible, then You are not improving Your skills. As a programmer I can say, that when I try to change something; do something differently, than always, I learn a lot. Cheers!
Ahsaan Yousuf over 7 years

This answer should be selected!
151291 over 5 years

Added in 5.2 but still api response same error TokenMismatchException in VerifyCsrfToken.php line 67: