I'm trying to implement Slack Actions in slack with Laravel as endpoint.
In Slack, I made the setup of the request URL as well as registering an action.
The button appear in Slack.
With laravel I made a simple route for testing the slack-payload like this
Route::post('slack-payload', function( $payload ){
dd( $payload );
})->name('slack-payload');
But when I press on my custom-action, on the laravel side I received a 419 unknown status.
I'm guessing it's because of the token missing from Slack that Laravel want. So I added my route in the $except of the VerifyCsrfToken middleware.
class VerifyCsrfToken extends BaseVerifier
{
protected $except = [
'slack-payload'
];
}
But now I'm having a 500 Internal Server Error ...
Related
I'm using Laravel Passport for API authentication,
This is my stack:
ReactJs (front-end)
Laravel (backend - API)
Currently I'm giving Personal Access Tokens directly to users like this, and after getting the token user's can access protected routes as usual:
public function login(LoginRequest $request)
{
$request->authenticate(); // it authenticate the user based on $request->email and $request->password
/** #var User $user */
$user = Auth::user();
$token = $user->createToken('auth');
return response([
'message' => 'success',
'user' => $user,
'token' => $token->accessToken,
]);
}
It works fine but the problem is now, anyone can get their token directly using tools like Postman, and use that token to access protected routes. which I don't want.
I only want the users to access the routes via my whitelisted frontends. like Reactjs SPA etc..
I read some articles sugesting to whitelist our domains on config/cors.php, it works for modern browsers, but still tools like postman would work. :(
Is there any-way I can acheive this?
Thank you so much for reading.
https://laravel.com/docs/9.x/passport#consuming-your-api-with-javascript you can check that part of the docs. I think you can protect your api with that middleware solution
I'm building a shopping cart SPA using Laravel and Vue.
Vue communicates with Laravel via the API, which is not a stateless as I'm using Sanctum for a cookie based session authentication services.
For guest users I want to store the cart info in a cookie. So I'm trying to set a cookie via a middleware I created with the following handle() method:
public function handle(Request $request, Closure $next)
{
if(!$request->cookie('cart_id')){
$cart_id = "some value";
return $next($request)->cookie(cookie()->forever('cart_id', $cart_id));
}
return $next($request);
}
I added this middleware to both 'api' and 'web' groups, but it doesn't seem to add the cookie no matter how many page requests I make.
Would appreciate some help with this Thanks
I am testing webhook with payment gateway Paystack with ngrok and spatie webhook-client, with my route in the route/api.php. and I keep getting 404 not found at the status response when the event is triggered. But if the webhook route is moved to web.php route I get response 419 unknown state. don't know why.
Please I am new to all these just following to learn.
**Route in api.php**
Route::webhooks('paystack-webhook');
and VerifyCsrfToken.php
protected $except = [
'https://17c5dbf1bd87.ngrok.io/paystack/webhook',
];
webhook-client.php
<?php
return [
'configs' => [
[
/*
* This package supports multiple webhook receiving endpoints. If you only have
* one endpoint receiving webhooks, you can use 'default'.
*/
'name' => 'default',
/*
* We expect that every webhook call will be signed using a secret. This secret
* is used to verify that the payload has not been tampered with.
*/
'signing_secret' => env('PAYSTACK_SECRET_KEY'),
/*
* The name of the header containing the signature.
*/
'signature_header_name' => 'x-paystack-signature',
/*
* This class will verify that the content of the signature header is valid.
*
* It should implement \Spatie\WebhookClient\SignatureValidator\SignatureValidator
*/
'signature_validator' => App\Handler\CustomSignatureValidator::class,
/*
* This class determines if the webhook call should be stored and processed.
*/
'webhook_profile' => \Spatie\WebhookClient\WebhookProfile\ProcessEverythingWebhookProfile::class,
/*
* This class determines the response on a valid webhook call.
*/
'webhook_response' => \Spatie\WebhookClient\WebhookResponse\DefaultRespondsTo::class,
/*
* The classname of the model to be used to store call. The class should be equal
* or extend Spatie\WebhookClient\Models\WebhookCall.
*/
'webhook_model' => \Spatie\WebhookClient\Models\WebhookCall::class,
/*
* The class name of the job that will process the webhook request.
*
* This should be set to a class that extends \Spatie\WebhookClient\ProcessWebhookJob.
*/
'process_webhook_job' => App\Handler\ProcessWebhook::class,
],
],
];
ProcessWebhook.php
<?php
namespace App\Handler;
//App/Handler/ProcessWebhook.php
use \Spatie\WebhookClient\ProcessWebhookJob;
//The class extends "ProcessWebhookJob" class as that is the class
//that will handle the job of processing our webhook before we have
//access to it.class ProcessWebhook extends ProcessWebhookJob
class ProcessWebhook extends ProcessWebhookJob
{
public function handle() {
$data = json_decode($this->webhookCall, true);
//Do something with the event
logger($data['payload']);
http_response_code(200); //Acknowledge you received the response
}
}
CustomSignatureValidator.php
<?php
//App/Handler/CustomSignatureValidator.php
namespace App\Handler;
use Illuminate\Http\Request;
use Spatie\WebhookClient\Exceptions\WebhookFailed;
use Spatie\WebhookClient\WebhookConfig;
use Spatie\WebhookClient\SignatureValidator\SignatureValidator;
class PaystackSignature implements SignatureValidator
{
public function isValid(Request $request, WebhookConfig $config): bool
{
$signature = $request->header($config->signatureHeaderName);
if (! $signature) {
return false;
}
$signingSecret = $config->signingSecret;
if (empty($signingSecret)) {
throw WebhookFailed::signingSecretNotSet();
}
$computedSignature = hash_hmac('sha512', $request->getContent(), $signingSecret);
return hash_equals($signature, $computedSignature);
}
}
Response
Route List
you are mismatching some things here. let's say you want to handle the webhook through web. then you have to put a route in your web.php file. (make sure to put it at the bottom of your route file if you use domain routing or to be safe put it just at the bottom)
Route::webhooks('paystack/webhook');
then add that route to your verify csrf middleware except
protected $except = [
'paystack/*',
];
and then your webhook url for paystack will be
ngrock-generated-host/paystack/webhook
now if you want to handle it through api then put the route at api.php file
Route::webhooks('paystack/webhook');
you need not to put it at the except of verify csrf middleware as it will be handled with api. and your webhook url for paystack will be
ngrock-generated-host/api/paystack/webhook
Try to change 'signing_secret' empty => ''
I am using paytabs payment gateway api. In that api, a redirect url have to given, so that once the transaction is completed, the page will redirect automatically to your given redirect url. The url was a GET url but since the response of the api comes as a POST type, I was unable to use get url. To resolve that issue, I made that route a POST url but by making it post method, I am not getting any CSRF token. In the end, I get this issue.
TokenMismatchException in VerifyCsrfToken.php line 68:
Is there any way by which I could disbale CSRF token functionality for only single POST url?
--SUGGESTION TRIED--
I did this as per your suggestion
class VerifyCsrfToken extends Middleware
{
protected $except = [
'signup/complete',
];
}
and now getting
Class 'Middleware' not found
From the docs:
Typically, you should place these kinds of routes outside of the web middleware group that the RouteServiceProvider applies to all routes in the routes/web.php file. However, you may also exclude the routes by adding their URIs to the $except property of the VerifyCsrfToken middleware:
class VerifyCsrfToken extends Middleware
{
protected $except = [
'stripe/*',
'http://example.com/foo/bar',
'http://example.com/foo/*',
];
}
You can exception in csrf middleware. go to app/http/Middleware/VirefyCsrfToken.php
class VerifyCsrfToken extends BaseVerifier{
protected $except = [
'route url1',
'route url2',
]
}
for how use localhost
in your project folder /app/http/middleware/VerifyCsrfToken.php edit
protected $except = [
//
'http://localhost/blog/return_url', // your url
];
I am working on a laravel project and want to use the front-end tool postman to post data to a particular controller function. But I get the error
TokenMismatchException in VerifyCsrfToken.php
How do I bypass this error or how do a submit the values with a csrf token?
You can bypass this error by adding '*' on $except variable in your App\Http\Middleware\VerifyCsrfToken class as:
protected $except = [
'*',
];
OR
You can remove \App\Http\Middleware\VerifyCsrfToken::class, from array $middlewareGroups in App\Http\Kernel class.