Laravel CSRF protection with REST API
Solution 1
In your App\Http\Middleware\VerifyCsrfToken
you will have such a class, add your routes to the $except
namespace App\Http\Middleware;
use Illuminate\Foundation\Http\Middleware\VerifyCsrfToken as BaseVerifier;
class VerifyCsrfToken extends BaseVerifier
{
protected $except = [
'shows/*',
'episode/*',
'genre/*',
];
}
Solution 2
You should consider using different middleware groups for Your web and api layers. Laravel by default, depending on version You are using, uses web
middleware group.
If You are not having line like this Route::group(['middleware' => 'web'], function () {
in Your routes.php
file, then Your laravel version is that one which uses it by default. Check Your RouteServiceProvider.php
file for this line: https://github.com/laravel/laravel/blob/master/app/Providers/RouteServiceProvider.php#L56.
If presented, remove 'middleware' => 'web'
part and group routes Yourself in routes.php
. Then use web
middleware for part where You need sessions, csrf and other stuff, and use api
middleware where You don't need these things (api
middleware group does not include sessions, encrypted cookies and csrf verifications).
Vijayanand Premnath
Updated on June 08, 2022Comments
-
Vijayanand Premnath almost 2 years
I have this code at the top of my routes file
Route::when('*', 'csrf', array('post', 'put', 'delete'));
When I testing my RESTful API layer I get token mismatch error. How to solve this?
I use CSRF protection for regular form submissions a user might do. But how would that work for an API? I have my API calls grouped after my regular routes as below
Route::group(array('prefix' => 'api'), function () { Route::resource('shows', 'ShowsApiController'); Route::resource('episode', 'EpisodesApiController'); Route::resource('genre', 'GenresApiController'); });
-
Vijayanand Premnath about 8 yearsIs there any possibility to disable in a specific controller
-
Achraf Khouadja about 8 yearscan you close/answer the question if you have found a solution
-
Giedrius Kiršys about 8 yearsIt's OK to add csrf exceptions, but this is not the right way to deal with API. Why this is not the right way to do API: cookies will be added to response - breaking stateless concept; laravel will try to start session - loosing some expensive time; You will have to do two times more testing when adding new middleware in web group; If You think about throttling, eventually You will need to migrate to API middleware group. Just my two cents.
-
Achraf Khouadja about 8 yearsto me, it seems like you have a better solution, yet sometimes people dosent care about the "stateless concept" or (INSERT A COMPLICATED BEST PRACTICE TERM HERE) , im not saying that they are bad or something but working with small apps dosent need to make things a bit more complicated
-
Giedrius Kiršys about 8 yearsI agree with You about small apps, keeping them simple is crucial. But here comes another important part: if You are doing everything as simple as possible, then You are not improving Your skills. As a programmer I can say, that when I try to change something; do something differently, than always, I learn a lot. Cheers!
-
Ahsaan Yousuf over 7 yearsThis answer should be selected!
-
151291 over 5 yearsAdded in 5.2 but still api response same error
TokenMismatchException in VerifyCsrfToken.php line 67: