Thursday, February 3, 2022

[FIXED] PHP-Laravel5 except csrf from another website

      , , ,      No comments   

Issue

I've tried to exclude requests from another localhost server (http://localhost:8080/order/placeorder) to another one localhost server (http://localhost:8000) I don't want to disable all csrf protection by removing \App\Http\Middleware\VerifyCsrfToken::class in Illuminate\Foundation\Http\Kernel.php

I've tried to modify app/Http/Middleware/VerifyCsrfToken.php

protected $except = [
    'http://localhost:8080/*',
    'http://localhost:8080',
    '/order/placeorder/*',
    'http://localhost:8080/order/placeorder'
];

and I also tried this way

private $openRoutes = [
    'http://localhost:8080/*',
    'http://localhost:8080',
    '/order/placeorder/*',
    'http://localhost:8080/order/placeorder'
];

public function handle($request, Closure $next)
{
    //add this condition
    foreach($this->openRoutes as $route) {

        if ($request->is($route)) {
            return $next($request);
        }
    }

    return parent::handle($request, $next);
}

But I still got this error

TokenMismatchException in VerifyCsrfToken.php

Can anyone suggest me what should I do and what I've done wrong?


Solution

The exceptions are routes within your own application that are excluded, not the URLs of servers that are requesting it. You will never put localhost, http, or any domain in these exceptions in normal circumstances. If you wish for a request by an external server to be accepted, I would disable CSRF protection for the routes it is accessing (because you want a cross-site request, that's what CSRF prevents).

For example, if you want any external server to be able to send a POST request to /order/placeorder, you would simply add that route to the exclusion. You also need to add any other route you want it to be able to access. If there are a lot, there are other more manageable ways to do this with middleware as well.

To authenticate the server making the request, it should send a token to verify itself. You can create a static token for this purpose (like an API key), or possibly use an OAuth implementation of some sort with access/refresh tokens - there is a package for Laravel for this that makes it easy.



Answered By - Brynn Bateman

0 Comments:

Post a Comment

Note: Only a member of this blog may post a comment.

Total Pageviews

Featured Post

Why Learn PHP Programming

Why Learn PHP Programming A widely-used open source scripting language PHP is one of the most popular programming languages in the world. It...