Menu
I am trying to create a RESTful API by using Laravel. I have created my controller using php artisan make:controller RestController and this is my controller code:
<?php namespace App\Http\Controllers; use Illuminate\Http\Request; class RestController extends Controller { private $arr = array( array("name"=>"jon", "family"=>"doe"), array("name"=>"jhon", "family" => "doue") ); public function index(){ return json_encode($this->arr); } public function store(Request $request){ return "oops!!"; } public function update (Request $request, $id){ return "test"; } } I have added this line of code to create this route in my routes/web.php file:
Route::resource('person', 'RestController'); When I try to test this api on GET /person it works fine but on POST and PUT I am getting a 419 status code from Laravel.
514
What does 419 HTTP Status Code Mean? The HTTP Status Code 419 indicates that a session has expired while processing a post request.
The Session Expired or 419 Page Expired error message in Laravel comes up because somewhere your csrf token verification fails which means the App\Http\Middleware\VerifyCsrfToken::class middleware is already turned on. In the form the @csrf blade directive is already added, which should be fine as well.
By default, Laravel ships with a simple solution to API authentication via a random token assigned to each user of your application. In your config/auth. php configuration file, an api guard is already defined and utilizes a token driver.
If you are developing REST APIs, you better not add tokens. If you are using 5.4 or 5.5 you can use api.php instead of web.php. In api.php you don't need token verifcation on post requests.
If you are using web.php, then you can exculde routes that you don't want to validate with CSRF Tokens.
Here is the official documentation:
Excluding URIs From CSRF Protection
Sometimes you may wish to exclude a set of URIs from CSRF protection. For example, if you are using Stripe to process payments and are utilizing their webhook system, you will need to exclude your Stripe webhook handler route from CSRF protection since Stripe will not know what CSRF token to send to your routes.
Typically, you should place these kinds of routes outside of the
webmiddleware group that theRouteServiceProviderapplies to all routes in theroutes/web.phpfile. However, you may also exclude the routes by adding their URIs to the$exceptproperty of theVerifyCsrfTokenmiddleware:<?php namespace App\Http\Middleware; use Illuminate\Foundation\Http\Middleware\VerifyCsrfToken as BaseVerifier; class VerifyCsrfToken extends BaseVerifier { /** * The URIs that should be excluded from CSRF verification. * * @var array */ protected $except = [ 'stripe/*', 'http://example.com/foo/bar', 'http://example.com/foo/*', ]; }
For reference https://laravel.com/docs/5.5/csrf
154
Method 1: Add CsrF Token
Method 2: Exclude URIs from CSRF protection
_token: "{{ csrf_token() }}" Example for Ajax
req = $.ajax({ type: "POST", url: "/search", data: { "key": "value", _token: "{{ csrf_token() }}", }, dataType: "text", success: function(msg) { // ... } }); Example if you using forms
<input type="hidden" name="_token" id="token" value="{{ csrf_token() }}"> VerifyCsrfToken in following locationyourProjectDirectory/app/Http/Middleware Add your URL in following method
protected $except = [ 'url1/', 'url2/', ]; If you are the owner(full control) of API, use Method 1, as CSRF Token adds security to your application.
If you are unable to add CSRF Token like in case if you are using any third party API's, webhooks etc., then go for Method 2.
33
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
