pmall
pmall
2 years ago (576,145 XP)

@billmn More cleaner way :

# app/Http/Kernel.php :

    /**
     * The application's global HTTP middleware stack.
     *
     * @var array
     */
    protected $middleware = [
        'Illuminate\Foundation\Http\Middleware\CheckForMaintenanceMode',
        'Illuminate\Cookie\Middleware\EncryptCookies',
        'Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse',
        'Illuminate\Session\Middleware\StartSession',
        'Illuminate\View\Middleware\ShareErrorsFromSession',
        // 'App\Http\Middleware\VerifyCsrfToken', // Erase this
    ];
    /**
     * The application's route middleware.
     *
     * @var array
     */
    protected $routeMiddleware = [
        'auth' => 'App\Http\Middleware\Authenticate',
        'auth.basic' => 'Illuminate\Auth\Middleware\AuthenticateWithBasicAuth',
        'guest' => 'App\Http\Middleware\RedirectIfAuthenticated',
        'csrf' => 'App\Http\Middleware\VerifyCsrfToken',
    ];

Then in route.php :

// List of api routes

$router->group(['middleware' => 'csrf'], function($router)
{
  // CSRF protected routes.
});

But again, ajax calls should be csrf protected. This method above is cool for api calls from external places.

Mashauri

@billmn post gave an idea, all you have to do just open this file app/Http/Middleware/VerifyCsrfToken.php and add 'api/*' in protected $except array. Works for me and is clean way to exception routes.

use Closure; use Illuminate\Foundation\Http\Middleware\VerifyCsrfToken as BaseVerifier;

class VerifyCsrfToken extends BaseVerifier { /** * The URIs that should be excluded from CSRF verification. * * @var array / protected $except = [ 'api/' ]; }

billmn
billmn
2 years ago (53,250 XP)

@Mashauri Yep but my post refers to Laravel 5.0 and not 5.1

Now that I have upgraded my application to L 5.1 I've used the 'except' property and works fine

arielcalcano

After hours of research, I could fix the problem by simply adding the domain in: config/session.php

"Session Cookie Domain"

'domain' => 'your-app-domain'

It doesn't matter if the session driver is "database or other"

Greetings!

criste_nicu

in Http/Middleware/VerifyCsrfToken.php you have an array called $except. Just add your api uri.

    /**
     * The URIs that should be excluded from CSRF verification.
     *
     * @var array
     */
    protected $except = [
        'api/*'
    ];
drodriguez

Hi!

I was implementing this by grouping my API routes with the prefix 'api' and excluding it in the $except array as @criste_nicu said.

But I was wondering how to do it if I change my api call routes from a prefix to a subdomain like api.mydomain.com?

mdeclaire
juandmegon

A RESTful API should be stateless, it means that it is not neccessary to keep the state through requests (sessions) in this way the CSRF verification is not completely necessary. To "disable" the sesssion, just go to the .env file and there change SESSION_DRIVER to array: SESSION_DRIVER=array

In this way it is not possible that someone take advantage of a stored sessions (CSRF).

Then you can just disable the CSRF middleware, commenting the respective line in the kernel.php file.

Aditionaly is a very good idea add some validation mechanism like basic auth (at least), or preferibly OAuth2 or JWT.

Hope many of you found this helpful.

Sign In or create a forum account to participate in this discussion.