1

I have added a CSRF/XSRF token to the post method but nothing changed .

this is simple method with route :

//inside controller
function newuser(Request $request){
      $user = new User;
      $user->email = $request->email;
      $user->name = $request->name;
      $user->password=$request->password;
      $user->save();
      return "test success";
    }

//route 
Route::post('/adduser','UsersController@newuser')

this is how I m sending data from postman :

//json 
}
    "name":"myusername",
    "email":"me@me.test",
    "password":"1234567"
}

//headers inputs (postman user interface)

Content-Type => application/json
X-CSRF-TOKEN => csrfToken

when I send request I got this status code as as a response on header

419 : unknown status

Note Get method is working

is it the right way?

azdeviz
  • 597
  • 2
  • 9
  • 20

1 Answers1

0

With VerifyCSRFToken enabled in Laravel, you will need to use cookies in Postman requests. To use cookies in your requests see this SO Post

The issue is that Laravel's VerifyCsrfToken middleware looks for your token in the session when matching it, as follows:

   /**
     * Determine if the session and input CSRF tokens match.
     *
     * @param  \Illuminate\Http\Request  $request
     * @return bool
     */
    protected function tokensMatch($request)
    {
        $token = $this->getTokenFromRequest($request);

        return is_string($request->session()->token()) &&
               is_string($token) &&
               hash_equals($request->session()->token(), $token);
    }

The way that Laravel gets the session is from the cookie. So in order for Laravel to verify a CSRF token, you need to send your session id in the cookie with the request as well.

You can find the session id you want to use in http response headers SET-COOKIE:xxx_session='sometoken'

You can then add the xxx_session=... cookie to the request you want to make.

Also, the GET method should be working as GET routes are not CSRF protected. This is one reason why you should never have GET routes that modify the state of your application.

Kurt Friars
  • 3,625
  • 2
  • 16
  • 29
  • thanks , can you mention where to add this code exactly ? – azdeviz Jul 17 '20 at 10:54
  • sending cookie with postman is solved , but still can't communicate to post method , I have added your code inside my method to handle the token , but it still returning the same status 419 – azdeviz Jul 17 '20 at 10:58
  • @AzizMobarak You have the session in the cookie and the XSRF token in the headers? – Kurt Friars Jul 17 '20 at 10:59
  • in postman when you authorizd cookies you can send it in header field with the key Cookie , I did it , and I have added too `SET-COOKIE:xxx_session='sometoken'` – azdeviz Jul 17 '20 at 11:04
  • @AzizMobarak You don't need SET-COOKIE in the request, that is how you can find the session from the response headers. You also need to make sure you are using the XSRF token from the same session. Ie) You make a get request as an anonyous user to a public page, look at the response headers and determine the xsrf token and the session. Then you take those values and you can make a post if you put the XSRF token in the headers, and the session cookie, in a request cookie. – Kurt Friars Jul 17 '20 at 11:07
  • I have already read a note about that I think I have a littel mistake I need to add it from form manualy and it will be added by postman authomaticaly to header as they mention , I will follow it and see what's the result – azdeviz Jul 17 '20 at 11:10