3

I've tried to exclude requests from another localhost server (http://localhost:8080/order/placeorder) to another one localhost server (http://localhost:8000) I don't want to disable all csrf protection by removing \App\Http\Middleware\VerifyCsrfToken::class in Illuminate\Foundation\Http\Kernel.php

I've tried to modify app/Http/Middleware/VerifyCsrfToken.php

protected $except = [
    'http://localhost:8080/*',
    'http://localhost:8080',
    '/order/placeorder/*',
    'http://localhost:8080/order/placeorder'
];

and I also tried this way

private $openRoutes = [
    'http://localhost:8080/*',
    'http://localhost:8080',
    '/order/placeorder/*',
    'http://localhost:8080/order/placeorder'
];

public function handle($request, Closure $next)
{
    //add this condition
    foreach($this->openRoutes as $route) {

        if ($request->is($route)) {
            return $next($request);
        }
    }

    return parent::handle($request, $next);
}

But I still got this error

TokenMismatchException in VerifyCsrfToken.php

Can anyone suggest me what should I do and what I've done wrong?

Improve this question

1 Answer 1

Reset to default
3

The exceptions are routes within your own application that are excluded, not the URLs of servers that are requesting it. You will never put localhost, http, or any domain in these exceptions in normal circumstances. If you wish for a request by an external server to be accepted, I would disable CSRF protection for the routes it is accessing (because you want a cross-site request, that's what CSRF prevents).

For example, if you want any external server to be able to send a POST request to /order/placeorder, you would simply add that route to the exclusion. You also need to add any other route you want it to be able to access. If there are a lot, there are other more manageable ways to do this with middleware as well.

To authenticate the server making the request, it should send a token to verify itself. You can create a static token for this purpose (like an API key), or possibly use an OAuth implementation of some sort with access/refresh tokens - there is a package for Laravel for this that makes it easy.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

hi, can you help me on this topic: stackoverflow.com/questions/34291960/…

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.