Level 27
You can specify routes in your Laravel application to ignore the CSRF token check. This is done in the VerifyCsrfToken middleware.
protected $except = [
'/my/route',
];
Sep 21, 2021
7
Level 1
Postman 419 CSRF token mismatch but frontend OK?
Hi,
As the title implies, I'm testing an API I've created in Laravel 8 in Postman and when I submit any 'POST' request, I'm getting a 419 CSRF token mismatch error. I have a frontend that I'm creating alongside the API which is built using NuxtJS and this is working perfectly fine when I use it to log in?
From what I can tell looking at the request/response in Postman, the 'Set-Cookie' header I get as a response from the '/sanctum/csrf-cookie' endpoint is setting the cookies but not sending them out in the subsequent request to the '/login' endpoint. Below are the requests/responses.
If anyone could point me in the relevant direction that would be much appreciated. If anymore information is needed let me know and I'll update the question accordingly.
GET '/sanctum/csrf-cookie' Request:
User-Agent: PostmanRuntime/7.28.3
Accept: */*
Postman-Token: fbdab330-25c9-4d74-b5a1-fe9759d53c5a
Host: client-api.foobar.local
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Response:
Date: Tue, 21 Sep 2021 10:47:59 GMT
Server: Apache/2.4.46 (Win64) PHP/8.0.2
X-Powered-By: PHP/8.0.2
Cache-Control: no-cache, private
Vary: Origin
Set-Cookie: XSRF-TOKEN=eyJpdiI6Ik13UnFudHZLMFRQcHpOTnFJdi9jb3c9PSIsInZhbHVlIjoiVlRjbFNTNEJEV1VNNjhmTUhDd2FYYy9MeURrUlZyZGlYWVRqdnQ2Nko3cVRZVTBnRzBHT3Y0a1VKZCtKVVkzRnZGN1V3eVBhUUxmSi9LSTAyWlBZLzZWNUxtRmMxZFlQUjQzY3dsUThROVEreDVvQTdlTVhFZ044UTM0eFdrc1IiLCJtYWMiOiJkMzgzMjQwZTEzZGY1ZjczMzg4MmI1Njk0ZTMyYjZmMjExNzY2NjY0Mzk3MzU1YzdhY2ZiMjkyYjk4MjBhNWZiIiwidGFnIjoiIn0%3D; expires=Tue, 21-Sep-2021 12:47:59 GMT; Max-Age=7200; path=/; domain=.foobar.local; samesite=lax
Set-Cookie: client_api_headless_api_session=eyJpdiI6IkVmbFkzWS9UVnYxWDRtUXlsUWoxbEE9PSIsInZhbHVlIjoiWDdwYjBVM3JRaWlXS2FNM3NWLzdScmxCSDZ5cU9ZNk5HLzJjRXZoVWpWL3pWSlplcjUvcCsvRnY1NGx5QnRWUE54K1lkZE9KaUd5dDFleU1uUUJHL2VYUkJhTkFDbWtORnpqbENpOVUra0crZEc0Ym93c2xnNjh5NkZpNWxraksiLCJtYWMiOiI3YmU5NGQzNmQ5YzVkNmEzZDkwNTJmMjIxM2UzYjEwNDIxN2MxMDE4ZTgyNWU1ZjM0M2QzNmU3ZjNkYmViNGZlIiwidGFnIjoiIn0%3D; expires=Tue, 21-Sep-2021 12:47:59 GMT; Max-Age=7200; path=/; domain=.foobar.local; httponly; samesite=lax
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
POST '/login' Request:
Referer: client.foobar.local:3000
Accept: application/json
X-XSRF-TOKEN: eyJpdiI6Ik13UnFudHZLMFRQcHpOTnFJdi9jb3c9PSIsInZhbHVlIjoiVlRjbFNTNEJEV1VNNjhmTUhDd2FYYy9MeURrUlZyZGlYWVRqdnQ2Nko3cVRZVTBnRzBHT3Y0a1VKZCtKVVkzRnZGN1V3eVBhUUxmSi9LSTAyWlBZLzZWNUxtRmMxZFlQUjQzY3dsUThROVEreDVvQTdlTVhFZ044UTM0eFdrc1IiLCJtYWMiOiJkMzgzMjQwZTEzZGY1ZjczMzg4MmI1Njk0ZTMyYjZmMjExNzY2NjY0Mzk3MzU1YzdhY2ZiMjkyYjk4MjBhNWZiIiwidGFnIjoiIn0=
Content-Type: application/json
User-Agent: PostmanRuntime/7.28.3
Postman-Token: ed2b9b7e-c6f4-4f90-a753-da394ac9e0bc
Host: client-api.foobar.local
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Content-Length: 63
Response:
Date: Tue, 21 Sep 2021 10:47:59 GMT
Server: Apache/2.4.46 (Win64) PHP/8.0.2
X-Powered-By: PHP/8.0.2
Cache-Control: no-cache, private
Vary: Origin
Set-Cookie: client_api_headless_api_session=eyJpdiI6IlQ3S1ErczF2T2xBeWxYdXBoSlZYMUE9PSIsInZhbHVlIjoid1JmS0x2YmJsUDE3WExQMU03RkdISlgzenByaHVYd1Z3RDdZYUM1aEdTTnB2Ym5jT3hGTTQ1Vm1nRUx6RmpDU25XeU1hd3ZEcVlSemFUTDB1c2JUZ3JGcTRGdlV0WWViTXBHU0RTVzNnZlZrWDlGelR4RC82TmhHOUFVRnJPTVQiLCJtYWMiOiI3ODM1ZDkzZGU2MjI1NWMyOWMyMTczMjY5NzNiODQwYjc2M2FjNzJmODY0NGViY2ZmOGVjNzExNTFmNGI2MWMwIiwidGFnIjoiIn0%3D; expires=Tue, 21-Sep-2021 12:47:59 GMT; Max-Age=7200; path=/; domain=.foobar.local; httponly; samesite=lax
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: application/json
Level 1
@sirch Hi and thanks for the reply. Whilst this is an option, I would much prefer to stick with the correct way of doing things, especially considering how everything is working perfectly fine with the frontend but just not in Postman.
Level 1
Hey I am not sure about this but i believe you need to send the other cookie as well "client_api_headless_api_session" which you are not sending in your /login request. In order for laravel to verify your token it needs to find your session which has the token stored, but it can't because you didn't send the session cookie.
Level 1
Your front end works because it sends all the cookies.
Level 1
@LoaiDev Hi and thanks for your response. This does seem to be the problem, but I'm confused as to why Postman isn't automatically sending the cookies across when I send the request to '/login'. As far as I'm aware, cookies that have been set for a domain will always be sent across in the header when you make a request to that domain. So with that in mind, I would of thought the cookies would be sent in the header automatically when I make any requests to my domain?
Level 1
@AndrewMatthew I really don't know much about postman, I have used it before a bit but for very simple requests so I can't help you here. I only know the laravel side.
Level 1
I've managed to fix the issue. I found out that the issue lies with Postman not liking the ".local" domain which isn't documented anywhere! I changed all my local domains over to ".test" and everything is now working as it should. I stumbled across this article in the process which managed to point me in the right direction: https://github.com/postmanlabs/postman-app-support/issues/9541
1 like
Please or to participate in this conversation.