Laravel CSRF protection with REST API

Question

I have this code at the top of my routes file

Route::when('*', 'csrf', array('post', 'put', 'delete'));

When I testing my RESTful API layer I get token mismatch error. How to solve this?

I use CSRF protection for regular form submissions a user might do. But how would that work for an API? I have my API calls grouped after my regular routes as below

Route::group(array('prefix' => 'api'), function () {
Route::resource('shows', 'ShowsApiController');
Route::resource('episode', 'EpisodesApiController');
Route::resource('genre', 'GenresApiController');
});

score 10 · Accepted Answer · answered May 10 '16 at 11:11

10

In your App\Http\Middleware\VerifyCsrfToken

you will have such a class, add your routes to the $except

namespace App\Http\Middleware;

use Illuminate\Foundation\Http\Middleware\VerifyCsrfToken as BaseVerifier;

class VerifyCsrfToken extends BaseVerifier
{
  protected $except = [
    'shows/*',
    'episode/*',
    'genre/*',
  ];
}

answered May 10 '16 at 11:11

Achraf Khouadja

6,119
4
27
39

It's OK to add csrf exceptions, but this is not the right way to deal with API. Why this is not the right way to do API: cookies will be added to response - breaking stateless concept; laravel will try to start session - loosing some expensive time; You will have to do two times more testing when adding new middleware in web group; If You think about throttling, eventually You will need to migrate to API middleware group. Just my two cents. – Giedrius Kiršys May 13 '16 at 14:40
2

to me, it seems like you have a better solution, yet sometimes people dosent care about the "stateless concept" or (INSERT A COMPLICATED BEST PRACTICE TERM HERE) , im not saying that they are bad or something but working with small apps dosent need to make things a bit more complicated – Achraf Khouadja May 13 '16 at 23:09
1

I agree with You about small apps, keeping them simple is crucial. But here comes another important part: if You are doing everything as simple as possible, then You are not improving Your skills. As a programmer I can say, that when I try to change something; do something differently, than always, I learn a lot. Cheers! – Giedrius Kiršys May 14 '16 at 07:38
Added in 5.2 but still api response same error `TokenMismatchException in VerifyCsrfToken.php line 67:` – 151291 Sep 11 '18 at 07:20

score 9 · Answer 2 · answered May 10 '16 at 09:17

You should consider using different middleware groups for Your web and api layers. Laravel by default, depending on version You are using, uses web middleware group.

If You are not having line like this Route::group(['middleware' => 'web'], function () { in Your routes.php file, then Your laravel version is that one which uses it by default. Check Your RouteServiceProvider.php file for this line: https://github.com/laravel/laravel/blob/master/app/Providers/RouteServiceProvider.php#L56.

If presented, remove 'middleware' => 'web' part and group routes Yourself in routes.php. Then use web middleware for part where You need sessions, csrf and other stuff, and use api middleware where You don't need these things (api middleware group does not include sessions, encrypted cookies and csrf verifications).

Is there any possibility to disable in a specific controller — Vijayanand Premnath, May 10 '16 at 10:03
can you close/answer the question if you have found a solution — Achraf Khouadja, May 11 '16 at 01:17

Laravel CSRF protection with REST API

2 Answers2