I have created a multi auth system for Laravel and I can log in and protecting the routes (with web and admin) defined in web.php is working fine. Now I also want to do the same for the api calls in api.php. For this purpose, I have installed Passport, changed my auth.php file to passport for api, attached the token in Kernel.php and in my axios request I attach xsrf and XMLHttpRequest. But when I execute my api call I get all the time 401 Unauthorized. I have taken a look in my headers and see a laravel_token and X-XSRF-TOKEN, so I am puzzled why it is not working.. Does anybody have any idea? Thanks!
Header looks like:
Accept: */*
Accept-Encoding: gzip, deflate, br
Accept-Language: undefined
Connection: keep-alive
Cookie: XSRF-TOKEN=eyJpdiI....
DNT: 1
Host: 127.0.0.1:8000
Referer: http://127.0.0.1:8000/availability/calendar
User-Agent: Mozilla/5.0 (Linux; Android 6.0; Nexus 5 Build/MRA58N) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Mobile Safari/537.36
X-CSRF-TOKEN: 4SUDy8IJigeEBftGjTVgat7cqPSGnncA0zuSiEeI
X-Requested-With: XMLHttpRequest
X-XSRF-TOKEN: dsfjkdsfsdj.....
In my api.php:
Route::post('/userStuff', 'MyController#userstuff')
->middleware('auth:api');
And my axios request:
axios.get("/api/userStuff").then(({data}) => {
console.log(data);
});
Related
I have this form where there is an implemented Google Captcha. I don't understand why I can submit multiple POST request using the same g-recaptcha-response and without it. Is it intended to work that way?
POST /dev-test/form.php HTTP/1.1
Host:.com
Content-Length: 606
Cache-Control: max-age=0
Sec-Ch-Ua: " Not;A Brand";v="99", "Google Chrome";v="91", "Chromium";v="91"
Sec-Ch-Ua-Mobile: ?0
Upgrade-Insecure-Requests: 1
Origin: https://sample.com
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://sample.com/dev-test/form.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
client_id=077&first_name=captcha-bypass-2nd-attempt&last_name=bypass-captcha-2nd-attempt&consent=true&g-recaptcha-response=
You can send as many request as you want to Google... The same way you can send unlimited mail parcel to an address, there's no mechanism to stop you from sending HTTP request to an address.
Once google receives your request, their servers will process your request and give it a score. It's your responsibility as a developer to go and get that score from google to check if a legitimate user is trying to access the site.
You will need to do that verification on the server side code of your application.
You can learn more on how google wants you to check the score at: https://developers.google.com/recaptcha/docs/verify
I have fetch api call from Vue js code which sends form-data to laravel backend
I am posting request. Please suggest how to parse this using laravel request?
POST /acapp/public/api/createmember HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9,mr-IN;q=0.8,mr;q=0.7,ur-PK;q=0.6,ur;q=0.5,hi-IN;q=0.4,hi;q=0.3
Cache-Control: no-cache
Connection: keep-alive
Content-Length: 142
Content-Type: application/json
Host: localhost
Mimetype: multipart/form-data
Origin: chrome-extension://fhbjgbiflinjbdggehcddcbncdddomop
Postman-Token: cd1ca586-560b-fdf7-3fd6-afe2f457d676
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
------WebKitFormBoundaryoMWbAbNZyySY3vCB
Content-Disposition: form-data; name="dob"
45345345
------WebKitFormBoundaryoMWbAbNZyySY3vCB--
You don't need to parse the request. The HTTP-Request Stack of Laravel will do it automatically and call your action you defined for that url.
https://laravel.com/docs/5.7/requests
Here is a good example how to get informations from your request. So you don't have to think about that. In the documentation you can find a part how to write VUE components.
https://laravel.com/docs/5.7/frontend
i think that could help you.
I am using React With Redux and I wrote a middleware that comes in handy when I do Ajax calls in Epics. For example, to do a GET request, I have this getJSON function.
import {ajax, AjaxResponse} from "rxjs/ajax";
const getJSON = (url: string, headers?: Object): Observable<AjaxResponse> =>
ajax({
method: "GET",
url,
responseType: "json",
headers,
withCredentials: true
});
Everything seem to work fine except that Ajax does not set the headers that contains the access token.
When I step through the code, the headers object looks like this,
{
Authorization: "Bearer ey-SOME-ACCESS-TOKEN"
}
As expected... But when I look through the network calls, it does not contain the specified header with its value.
Parsed:
Accept: */*
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Access-Control-Request-Headers: authorization
Access-Control-Request-Method: GET
Connection: keep-alive
Host: localhost:1337
Origin: http://localhost:3000
Source:
OPTIONS /api/test HTTP/1.1
Host: localhost:1337
Connection: keep-alive
Access-Control-Request-Method: GET
Origin: http://localhost:3000
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36
Access-Control-Request-Headers: authorization
Accept: */*
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
NOTE: Please don't mark this as duplicate. I know there are similar questions on SO, but none of them seem to work for me.
After 3 days of pulling my hairs and banging my head on the walls, I finally figure out what is the problem, but still not sure why/how. Apparently due to CORS, there is always OPTION request is made before the actual POST or GET request. Which I already knew and kinda make sense. What does not make sense to me is why the heck it does not contain the headers. If anyone can explain this to me will be eligible for the bounty on this question.
I had to made changes in my back-end to handle OPTION requests, and it seems to work for now. I can't spend more time of this.
Not sure if it's late enough, but might be useful for future readers.
You should configure your server not to expect for authorization header in OPTIONS request.
The Bearer token is used for the POST/GET/DELETE/... confirmation of identity. The OPTIONS is just a preflight to see if the current HOST is allowed to get the data back.
It's important to say that browsers most of the time remove the custom headers from the OPTIONS request, moving them into the Access-Control-Request-Headers (it's happening in your case).
Please, take a look on the official documentation here:
https://www.w3.org/TR/cors/#cross-origin-request-with-preflight-0
I send a POST Ajax request to a Laravel Controller but I get a 302 Found response code.
The controller is the ForgotPasswordController provided by Laravel's Auth package, so nothing special about it.
It has the guest middleware in its constructor and I found that if I remove this middleware from the constructor, the Ajax request works correctly (it returns a 200 response code).
The Ajax request has the X-CSRF-TOKEN and X-XSRF-TOKEN headers, so I don't think there is something missing.
I'm sending this Ajax request from a VueJS password reset form with the Axios library.
Why my POST request does not work if the controller has the guest middleware ?
Here are the headers sent with the request :
POST /password/email HTTP/1.1
Host: myapp.dev
Connection: keep-alive
Content-Length: 37
Pragma: no-cache
Cache-Control: no-cache
Origin: http://myapp.dev
X-XSRF-TOKEN: eyJpdiI6IjRqTk1yTXFsXC9FVlRzckF0dUM4azdRPT0iLCJ2YWx1ZSI6IjY0MUZzaEpCTXJDcUhzUGhcL2dzYVJmalQrR3pwV3IzYWxiTSt4dVwvN2VVKzJ4b2t3XC9GcVhJcllmK3pQYVV4VGFIZG4wZ0s3NlNCTG01WEl6YzBCY2NRPT0iLCJtYWMiOiIwYmNjOTRiZGJjZTM2YjYyMWJiMzRhNTlkOTkwOWU4Y2M4NmYzYzI5NjhiMTU4MDdiMGJkMmJhYmMwODEzMDhjIn0=
X-CSRF-TOKEN: nejsetydvFWgeqppZc5XQtX04b5AdXlsTKSgaydj
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
Content-Type: application/json;charset=UTF-8
Accept: application/json, text/plain, */*
X-Requested-With: XMLHttpRequest
Referer: http://myapp.dev/password
Accept-Encoding: gzip, deflate
Accept-Language: fr-FR,fr;q=0.8,en-US;q=0.6,en;q=0.4
Cookie: XSRF-TOKEN=eyJpdiI6IjRqTk1yTXFsXC9FVlRzckF0dUM4azdRPT0iLCJ2YWx1ZSI6IjY0MUZzaEpCTXJDcUhzUGhcL2dzYVJmalQrR3pwV3IzYWxiTSt4dVwvN2VVKzJ4b2t3XC9GcVhJcllmK3pQYVV4VGFIZG4wZ0s3NlNCTG01WEl6YzBCY2NRPT0iLCJtYWMiOiIwYmNjOTRiZGJjZTM2YjYyMWJiMzRhNTlkOTkwOWU4Y2M4NmYzYzI5NjhiMTU4MDdiMGJkMmJhYmMwODEzMDhjIn0%3D; laravel_session=eyJpdiI6IkJnczRHV3NcLzhLbzZWaUlvTTI2cFlBPT0iLCJ2YWx1ZSI6IkpQYytLXC9pQ1R3MTZlaEx2QWJ4bGpSd21BV25jelJKVDJkQVdcL25GSG4rQkpQc1duZHIrTjErOGt3bk5BVVVcL3FTK1c2XC83Y1NqTmxBaVZ1bkQ2TWV5Zz09IiwibWFjIjoiNzg4Y2UyNWQ0ODcxMWNkNWE3MmU4ZDY1MmIyNTE0NDgwMzFmM2ZjYzkxMzM5ZGM5ZTk5MDI4NjE4OGRkNmJjYyJ9
Ok i found... it's just that I was authenticated when doing these requests. So the guest middleware was redirecting me... shame on me !
302 response usually because your request is redirected by laravel. if you expect json response don't forget to add Accept: 'application/json' on your header request then you will see what actually wrong
You have to look closer into your controller. You have to return json. Also take a look in the network console in the browser. If response code is 302 there is a location. So if a location is the login page - validation not passed in the middleware
I am trying to connect to an OData API using Advanced REST Client.
The Login is successful and I receive a SecurityToken which I use in the following GET request:
accept: application/json
accept-encoding: gzip, deflate
accept-language: en-US,en;q=0.8
user-agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.84 Safari/537.36
Content-Type: application/json
authorization: Basic <security-token>
Even though I am using the security token I received from the Login, I am receiving a message that says "The HTTP authorization header is not formatted correctly." and I also receive an "Authorization required" prompt in Advanced REST Client (ARC).
Can anyone tell me what is wrong with the Authorization header or how I can format it correctly?
Something wrong with your token.
please show your login result.
In addition, My be It is because of authorization type that you use 'basic'.
Use 'Bearer' with authorization token:
authorization: Bearer ....