Sending POST request while using jwt with laravel 5.2

0
votes

I am using jwt:auth with laravel 5.2 to authenticate in a secure manner against CSRF attacks.

You can find how to do here >> http://blog.nedex.io/create-an-api-server-for-mobile-apps-using-laravel-5-1/

I have edited the except array in VerifyCsrfToken.php middleware and added api/login and api/signup, so i can skip jwt tokens for these two actions because while i am trying to login or signup, so i still have no keys, yet.

Route::group(['prefix' => 'api'], function() {

    Route::post('login', 'Api\AuthController@login');
    Route::post('signup', 'Api\UsersController@signup');

    Route::group(['middleware' => ['jwt.auth', 'jwt.refresh']], function() {
        Route::post('logout', 'Api\AuthController@logout');

        Route::get('test', function(){
            return response()->json(['foo'=>'bar']);
        });

        Route::get('hospitals', 'Api\EmergenciesController@getHospitals');
        Route::get('emergencyDetails/{id}', 'Api\EmergenciesController@getEmergencyDetails');

        Route::get('profile/{id}', 'Api\UsersController@get_profile');
        Route::post('submit_profile/{id}', 'Api\UsersController@submit_profile_data');
        Route::post('update_property/{id}/{property}/{value}', 'Api\UsersController@update_property');

        Route::post('pregnant/{id}', 'Api\UsersController@update_is_pregnant');
    });
});

it works perfectly, when i send GET requests with ?token= But it gives me a TokenMismatchException when i try to send POST request although i am sending the token.

check the screenshots here >> https://www.dropbox.com/sh/a901epayh1liapd/AABCwxxBN4pSG735SxQlC2jha?dl=0

Why POST requests fail?? please help.!

2
laravelauthenticationjwt
how are you sending the token with POST? can you please post the code..Manoj Salvi
could you post the VerifyCsrfToken.php since that is where the error is thrown in the first place?Norgul
class VerifyCsrfToken extends BaseVerifier { /** * The URIs that should be excluded from CSRF verification. * * @var array */ protected $except = [ 'api/login', 'api/signup', ]; }Omar Ezz Ed-Dien
@Manojsalvi i am sending the token via Postman browser plugin, dropbox.com/sh/a901epayh1liapd/AABCwxxBN4pSG735SxQlC2jha?dl=0Omar Ezz Ed-Dien

2 Answers

1
votes

It happens because Laravel CSRF Protection is enabled default for all routes.You can disable it for you POST request or send CSRF token throw 'X-XSRF-TOKEN' header. But it seems that you don't have it, because you use jwt token(it isn't same). I suggest you exclude you API paths from csrf middleware :

Excluding URIs From CSRF Protection

Sometimes you may wish to exclude a set of URIs from CSRF protection. For example, if you are using Stripe to process payments and are utilizing their webhook system, you will need to exclude your webhook handler route from Laravel's CSRF protection.

You may exclude URIs by defining their routes outside of the web middleware group that is included in the default routes.php file, or by adding the URIs to the $except property of the VerifyCsrfToken middleware:

<?php

namespace App\Http\Middleware;

use Illuminate\Foundation\Http\Middleware\VerifyCsrfToken as BaseVerifier;

class VerifyCsrfToken extends BaseVerifier
{
    /**
     * The URIs that should be excluded from CSRF verification.
     *
     * @var array
     */
    protected $except = [
        'stripe/*',
    ];
}

Just add new paths like 

protected $except = [ 'api/login', 'api/signup', 'api'/logout' , 'api/test', 'api/hospitals']; //etc
-1
votes

For post request you need to pass _token hidden field.

<input type="hidden" name="_token" value="{{ csrf_token() }}" />