Laravel CSRF protection with REST API
Question
I have this code at the top of my routes file
Route::when('*', 'csrf', array('post', 'put', 'delete'));
When I testing my RESTful API layer I get token mismatch error. How to solve this?
I use CSRF protection for regular form submissions a user might do. But how would that work for an API? I have my API calls grouped after my regular routes as below
Route::group(array('prefix' => 'api'), function () {
Route::resource('shows', 'ShowsApiController');
Route::resource('episode', 'EpisodesApiController');
Route::resource('genre', 'GenresApiController');
});
2 answers
solution1
8 ACCPTED 2016-05-10 11:11:06
In your App\\Http\\Middleware\\VerifyCsrfToken
you will have such a class, add your routes to the $except
namespace App\Http\Middleware;
use Illuminate\Foundation\Http\Middleware\VerifyCsrfToken as BaseVerifier;
class VerifyCsrfToken extends BaseVerifier
{
protected $except = [
'shows/*',
'episode/*',
'genre/*',
];
}
solution2
6 2016-05-10 09:17:23
You should consider using different middleware groups for Your web and api layers. Laravel by default, depending on version You are using, uses web middleware group.
If You are not having line like this Route::group(['middleware' => 'web'], function () { in Your routes.php file, then Your laravel version is that one which uses it by default. Check Your RouteServiceProvider.php file for this line: https://github.com/laravel/laravel/blob/master/app/Providers/RouteServiceProvider.php#L56 .
If presented, remove 'middleware' => 'web' part and group routes Yourself in routes.php . Then use web middleware for part where You need sessions, csrf and other stuff, and use api middleware where You don't need these things ( api middleware group does not include sessions, encrypted cookies and csrf verifications).
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.