VerifyCsrfToken always called when route to API Middleware Laravel 5.2.35

Question

I have two similiar Laravel project. This is part code of kernel.php. Both projects have same code.

protected $middlewareGroups = [
    'web' => [
        \App\Http\Middleware\EncryptCookies::class,
        \Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse::class,
        \Illuminate\Session\Middleware\StartSession::class,
        \Illuminate\View\Middleware\ShareErrorsFromSession::class,
        \App\Http\Middleware\VerifyCsrfToken::class,
    ],
    'api' => [
        'throttle:60,1',
    ],
];

But, VerifyCsrfToken always be called although I put my route inside api middlewareGroup.

I check request header in Advanced REST Client. I found this.

First project result :

Second project result :

First result has cookie attribute in request header, but second result doesn't have

tough to say without seeing the controller code that is producing these responses. Refer to https://laravel.com/docs/master/responses — Jeff, May 31 '16 at 15:35
@Jeff I attached Request screenshot instead of Response screenshot — Daniel Listyo Emanuel, May 31 '16 at 15:53

score 1 · Answer 1 · answered May 31 '16 at 20:56

1

You can skip csrf token check for all your api links in app/Http/Middleware/VerifyCsrfToken.php by adding the URIs to the $except property. Example:

protected $except = [
    '/api/*'
];

answered May 31 '16 at 20:56

Bushikot

783
3
10
26

Your answer is true. But I am curious about everything. Because everything is similar. The second project doesn't have exception variable, but it can except csrftoken. – Daniel Listyo Emanuel Jun 01 '16 at 01:08
Both projects has same SESSION_DRIVER value in your .env file? Check your session settings, possibly you store it in file, but forget to set permissions correctly. – Bushikot Jun 01 '16 at 07:13

score 0 · Answer 2 · answered May 31 '16 at 18:23

0

Use routes without any middleware and it will not require csrf token anymore.

answered May 31 '16 at 18:23

Laravel User

1,111
1
8
24

score 0 · Accepted Answer · answered May 31 '16 at 19:40

0

All the routes in routes.php are included in a route group which has the 'web' middleware applied. You should probably create another routes file and have the RouteServiceProvider load those in a group with 'api' and without the 'web' middleware applied.

If you open up your RouteServiceProvider you will see where this is happening. Check the map method to see it calling mapWebRoutes.

answered May 31 '16 at 19:40

lagbox

48,571
8
72
83

I don't know my first `RouteServiceProvider.php` and second `RouteServiceProvider.php` has different code – Daniel Listyo Emanuel Jun 01 '16 at 02:43

VerifyCsrfToken always called when route to API Middleware Laravel 5.2.35

3 Answers3

Linked