HTTP status code 419 when accessing Laravel api by browser
Question
I can't access my laravel api post routes at localhost by browser (script / console / dev-tools). I'm always getting HTTP 419 (Page Expired) status error. Interestingly I can access the api with success via postman.
The routes are outside of everey "auth:sanctum" group, so that this should not be the cause of failure. Because of this I also think that sessions and session config could not be the cause, could they?
// routes/api.php
Route::post('/test', function() {
return "Hello World @ POST";
}); // => HTTP 419
Route::get('/test', function() {
return "Hello World @ GET";
}); // => HTTP 200
I excluded the path from xsrf-checks, to exclude this error cause:
// VerifyCsrfToken.php
protected $except = [
'api/test',
];
The script I run in firefox console:
await fetch("http://localhost:8000/api/test", {
"method": "POST"
});
The HTTP request firefox sends to localhost:
POST /api/test HTTP/1.1
Host: localhost:8000
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:98.0) Gecko/20100101 Firefox/98.0
Accept: */*
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1:8000/
Origin: http://127.0.0.1:8000
Connection: keep-alive
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: cross-site
Content-Length: 0
What can I do to get my api running in the browser?
EDIT#1
app/http/kernel.php
<?php
namespace App\Http;
use Illuminate\Foundation\Http\Kernel as HttpKernel;
class Kernel extends HttpKernel
{
/**
* The application's global HTTP middleware stack.
*
* These middleware are run during every request to your application.
*
* @var array<int, class-string|string>
*/
protected $middleware = [
// \App\Http\Middleware\TrustHosts::class,
\App\Http\Middleware\TrustProxies::class,
\Illuminate\Http\Middleware\HandleCors::class,
\App\Http\Middleware\PreventRequestsDuringMaintenance::class,
\Illuminate\Foundation\Http\Middleware\ValidatePostSize::class,
\App\Http\Middleware\TrimStrings::class,
\Illuminate\Foundation\Http\Middleware\ConvertEmptyStringsToNull::class,
];
/**
* The application's route middleware groups.
*
* @var array<string, array<int, class-string|string>>
*/
protected $middlewareGroups = [
'web' => [
\App\Http\Middleware\EncryptCookies::class,
\Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse::class,
\Illuminate\Session\Middleware\StartSession::class,
// \Illuminate\Session\Middleware\AuthenticateSession::class,
\Illuminate\View\Middleware\ShareErrorsFromSession::class,
\App\Http\Middleware\VerifyCsrfToken::class,
\Illuminate\Routing\Middleware\SubstituteBindings::class,
],
'api' => [
\Laravel\Sanctum\Http\Middleware\EnsureFrontendRequestsAreStateful::class,
'throttle:api',
\Illuminate\Routing\Middleware\SubstituteBindings::class,
],
];
/**
* The application's route middleware.
*
* These middleware may be assigned to groups or used individually.
*
* @var array<string, class-string|string>
*/
protected $routeMiddleware = [
'auth' => \App\Http\Middleware\Authenticate::class,
'auth.basic' => \Illuminate\Auth\Middleware\AuthenticateWithBasicAuth::class,
'cache.headers' => \Illuminate\Http\Middleware\SetCacheHeaders::class,
'can' => \Illuminate\Auth\Middleware\Authorize::class,
'guest' => \App\Http\Middleware\RedirectIfAuthenticated::class,
'password.confirm' => \Illuminate\Auth\Middleware\RequirePassword::class,
'signed' => \Illuminate\Routing\Middleware\ValidateSignature::class,
'throttle' => \Illuminate\Routing\Middleware\ThrottleRequests::class,
'verified' => \Illuminate\Auth\Middleware\EnsureEmailIsVerified::class,
];
}
2 answers
solution1
0 2022-11-23 23:10:30
The reason is that App\Http\Middleware\VerifyCsrfToken which parent class is the Illuminate\Foundation\Http\Middleware\VerifyCsrfToken has this code at its handle method:
public function handle($request, Closure $next)
{
if (
$this->isReading($request) ||
$this->runningUnitTests() ||
$this->inExceptArray($request) ||
$this->tokensMatch($request)
) {
return tap($next($request), function ($response) use ($request) {
if ($this->shouldAddXsrfTokenCookie()) {
$this->addCookieToResponse($request, $response);
}
});
}
throw new TokenMismatchException('CSRF token mismatch.');
}
The first check on that big if is $this->isReading($request) . That method is in charge of checking the request method you're using, and if you see its implementation:
/**
* Determine if the HTTP request uses a ‘read’ verb.
*
* @param \Illuminate\Http\Request $request
* @return bool
*/
protected function isReading($request)
{
return in_array($request->method(), ['HEAD', 'GET', 'OPTIONS']);
}
So I guess no more words needed.
Here you should ask yourself why they left out the POST method.
If you're too sure about this, you can overwrite that method at the App\Http\Middleware\VerifyCsrfToken
<?php
namespace App\Http\Middleware;
use Illuminate\Foundation\Http\Middleware\VerifyCsrfToken as Middleware;
class VerifyCsrfToken extends Middleware
{
/**
* The URIs that should be excluded from CSRF verification.
*
* @var array<int, string>
*/
protected $except = [
//
];
protected function isReading($request): bool
{
return in_array($request->method(), ['HEAD', 'GET', 'OPTIONS', 'POST']);
}
}
You can start reading this
solution2
-1 2022-03-31 19:46:48
- Accessing from browser url
postroute won't work. Unless you do it via form
<form action="/api/test" method="POST">
<button type="submit">Submit</button>
</form>
- possible to wire it via a button/link that will submit the form hidden behind the scene
In other words, from What I am seeing you should be able to access:
- GET /api/test (browser url, browser form and postman)
- POST /api/test (browser form, postman)
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.