API not verifying token in Laravel 5.5

I think it has to do something with cross origin domain request, is that right ?

My assumption is that you're making an API request to a route that uses the web middleware—as verifyCsrfToken is only part of that middleware group.

Make sure that your API requests are in routes/api.php.

If not, sharing some code would be nice!

Actually I am not using auth and I did authorization manually, also my routes are in web.php

This has nothing to do with authentication.

You might want to read the docs: Routing. It states:

"...These routes are assigned the web middleware group, which provides features like session state and CSRF protection. The routes in routes/api.php are stateless and are assigned the api middleware group."

I tried by placing route in api.php but same error. I also tried response headers but it did not work.

If I exclude it, of course it works but it would mean that i need to exclude all the routes and I don't think it is a good idea. Any suggestions ? , Thanks in advance.

I checked laravel log and all I figured out is that it throws 419 status because it is a TokenMismatchException, and after research I figured it out that I was on correct path and I need to allow Cross-Origin Resource Sharing(CORS) from API, I returned response with Headers as mentioned in DOCS but not working, any idea ?? I even tried laravel cors at "https://github.com/barryvdh/laravel-cors". Any Idea what is causing this ????

you can only use csrf protection if you use sessions.

Do you use sessions in your own version of auth?

Yes I am setting session on success function of post request to api via ajax.

so your ajax call is passing the session cookie with each request?

I solved the problem by placing "header('Access-Control-Allow-Origin : *')" in bootstrap/app.php, but that is little bit odd thing. Is it valid if on production ?

FINALLY SOLVED IT : In "vendor/laravel/framework/src/Illuminate/Foundation/Http/Middleware/VerifyCsrfToken.php" under "isReading" method replace

return in_array($request->method(), ['HEAD', 'GET', 'OPTIONS']); To This

return in_array($request->method(), ['POST', 'HEAD', 'GET', 'OPTIONS']);

Thank you all for help.

That change can get overridden when you update laravel. You should never alter code in /vendor.

It would be better to create your own middleware and use that instead of the default. You can set which middleware runs in /app/Http/kernel.php. Just replace \App\Http\Middleware\VerifyCsrfToken::class, with your own class in the web middleware group.

Ok, I will try it Thank you.

@pjn I can't believe this is a solution, this is just a workaround. What you just did is disabling csrf checking for post requests...

The method you are changing is isReading(). This method will return true after your change on post requests and will never fire the the TokenMismatchException anymore.

public function handle($request, Closure $next)
{
    if (
        $this->isReading($request) ||
        $this->runningUnitTests() ||
        $this->inExceptArray($request) ||
        $this->tokensMatch($request)
    ) {
        return $this->addCookieToResponse($request, $next($request));
    }

    throw new TokenMismatchException;
}

So for everyone else that is here for a solution: Do NOT change the isReading() method but actually solve the problem you have