Make a post request to a api that uses sanctum via Client (laravel-6.2).

@OussamaMater

Thanks. These things are working and already set up as you said. Just wondering how to make it via an HTTP client.It's working with get but return csrf issue with post

@nipun add this to your headers array

'X-CSRF-TOKEN' => csrf_token()

An example:

$response = Http::withHeaders([
'X-CSRF-TOKEN' => csrf_token()
])->post('http://example.com/users');

This should solve the issue.

@OussamaMater Im doing it like below. But still same

        $response = $client->get('http://localhost:8000/sanctum/csrf-cookie', [
            'headers' => [
                'accept' => 'application/json',
            ]
        ]);

        $cookies = $response->getHeader('set-cookie');
      //$cookies will have below array
     array:3 [
         0 => "XSRF-TOKEN=dsdsdsdsd"
         1 => "dsdsd_session=sdsdsdsds"
         2 => "4sdsdsdsd"
      ]
					
        $response2 = $client->post('http://localhost:8000/api/user/updated', [
            'headers' => [
                'cookie' => $request->header('cookie'),
                'referer' => 'http://localhost:5003',
                'accept' => 'application/json',
                'X-XSRF-TOKEN' => $cookies['0']
            ]
        ]);

@nipun yes it won't work that way because the cookies[0] is false, plus sanctum is looking for X-CSRF-TOKEN header and not X-XSRF-TOKEN update your code like this and give it a try

        $response2 = $client->post('http://localhost:8000/api/user/updated', [
            'headers' => [
                'referer' => 'http://localhost:5003',
                'accept' => 'application/json',
                'X-CSRF-TOKEN' => csrf_token() // the important header that causing the 419 error
            ]
        ]);

@OussamaMater thanks. Tried this one before when you mentioned csrf_token() in a previous answer. But still Im getting the error. also tries the below code as well. Really appreciate you help on this

headers' => [
                'accept' => 'application/json',
                'cookie' => $request->header('cookie'),
                'referer' => $request->header('referer'),
                'X-XSRF-TOKEN' => $request->header('X-XSRF-TOKEN'),
                'X-CSRF-TOKEN' => $request->header('X-CSRF-TOKEN'),
            ]

@nipun the code does not make sense to me, you see, you are SETTING header to be sent with your request, and while SETTING them you're using the header() method that's used to retrieve headers, so these fields will be null most likely as you're SENDING a request and not RECEIVING one.

reference: https://laravel.com/docs/9.x/requests#request-headers

@OussamaMater Thanks. But I'm trying this with laravel 6.2. https://laravel.com/docs/6.x/passport#passing-the-access-token

@nipun You are using sanctum, that's the passport docs, and the header name should be same for both Laravel 9 and Laravel 6, you should not be using header() method as it's used to retrieve data, the reference to show you an example.

@OussamaMater thanks. ill refer your links. looks like need to understand core first. thanks you very much for your support @oussamamater

@nipun here's a good youtube video to get you started (he is using sanctum on Laravel 8, but should be the same).

• https://www.youtube.com/watch?v=MT-GJQIY3EU

Happy to help!

@OussamaMater thanks, man. definitely Ill update this as soon as I fix my issue. Thank you

@marcosdipaolo well because based on the replies that's what he needed :)

And no, if you want to use cookies you can't , you need to flow the workflow set by Laravel (refer to the docs), and it's a bad idea anywhere, why would you?

@OussamaMater what do you mean, protectiong with sanctum a post route?

@OussamaMater You might right, POST request are not suppossed to be protected. app/Http/Middleware/VerifyCsrfToken.php

protected function isReading($request): bool
{
    return in_array($request->method(), ['HEAD', 'GET', 'OPTIONS']);
}

I guess I'll add POST by now

@marcosdipaolo it's better not to mess with that..