1

I am trying to trap TokenMismatchException in Laravel’s Handler.php

When I mimic a csrf token exception by temporarily removing the token from the form, the local dev version of my site shows me:

TokenMismatchException in VerifyCsrfToken.php line 68:

But when I change the render() function in Handler.php to look for the exception and handle the error, then it doesn’t work. For instance, if I replace the default code with the below for testing, and take the csrf token from the form, the system returns my 'this was not a token problem' message, and not the 'token problem' message.

public function render($request, Exception $exception)
{
    if($exception instanceof TokenMismatchException) {
      return('token problem');
    }else{
      return('this was not a token problem');
    }
    return parent::render($request, $exception);
}

So, with the default code Laravel seems to recognize the TokenMismatchException, but with my simple test code above, it doesn’t. Can you explain to me what’s going on here?

Wittner
  • 583
  • 5
  • 21
  • Per a comment by [DisgruntledGoat](http://stackoverflow.com/users/37947/disgruntledgoat) on [this answer](http://stackoverflow.com/a/29116516/1575353), do you have `use Illuminate\Session\TokenMismatchException;` before the class definition? – Sᴀᴍ Onᴇᴌᴀ May 09 '17 at 16:22
  • I had seen that DisgruntledGoat answer during my searching and had implemented it to no avail so it was not in the current code. Now, by re-including the use statement AND by implementing a http response as suggested by Ian, I finally can trap the exception and redirect to another page telling the user to try again, or whatever I decide. This is my first site created with Laravel - it's a learning curve coming from CodeIgniter! – Wittner May 10 '17 at 10:01

1 Answers1

0

Chances are it's crashing because the return is expecting a \Illuminate\Http\Response from render()

/**
 * Render an exception into an HTTP response.
 *
 * @param  \Illuminate\Http\Request  $request
 * @param  \Exception  $exception
 * @return \Illuminate\Http\Response
 */
public function render($request, Exception $exception)
{

    if($exception instanceof TokenMismatchException)
        return response()->json('Token mismatch');

    return parent::render($request, $exception);
}

Remember to use the correct class for the Exception

use Illuminate\Session\TokenMismatchException;

Ian
  • 3,539
  • 4
  • 27
  • 48
  • Basically you are returning a string, whereas it is expecting an object to be returned. – Ian May 09 '17 at 10:41
  • I understand now that the response needs to be a proper http response and you have created a http response with a json formatted string. I am trying that and still getting 'Is NOT token mismatch'. I have appened an implementation of your code suggestion in my question above – Wittner May 09 '17 at 14:58
  • I created a simple form, removed the csrf_token field, then submitted it, it worked fine. Try dumping `$exception`, see what is being caught, it could be something completely different. – Ian May 09 '17 at 15:02
  • Thanks Ian. Because it's a json return it's a bit messy looking but I can see the first line contains: Illuminate\\Session\\TokenMismatchException: in \/home\/vagrant\/sites\/ – Wittner May 09 '17 at 15:16
  • @Wittner It sounds more and more like it's not a problem with the Exception, rather the application is throwing another exception, you need to `dd($exception)` and find out what exception is being thrown.. – Ian May 09 '17 at 15:18
  • dd($exception) gives TokenMismatchException {#178 ▼ which is an object containing error information about TokenMismatch and VerifyCsrfToken... – Wittner May 09 '17 at 15:20
  • @Wittner What is your import at the top, it should be ` use Illuminate\Session\TokenMismatchException;` can you confirm? – Ian May 09 '17 at 15:38
  • I'd like to mark this as the correct answer but with the inclusion suggested by @Sam Onela Do you want to edit the answer to also include his suggestion, or I'm happy to edit it to save you the hassle and mark it as correct – Wittner May 10 '17 at 10:03
  • @Wittner You mean the answer I gave in the above comment regarding the import? – Ian May 10 '17 at 10:05
  • "Remember to use the correct class for the Exception" - never saw it! Apologies – Wittner May 10 '17 at 12:19