I have a simple form to create user registration, but when the form, submit it shows an error "token mismatch exception". I have already tried replacing the name field and id fields but I can't find what's wrong.
can any one please tell me what's wrong?
<form action="http://example.com/registration" method="POST">
...............
......
</form>
You have to add the CSRF token to your form:
<form action="http://example.com/registration" method="POST">
{{ csrf_field() }}
......
</form>
To quote the docs:
Laravel makes it easy to protect your application from cross-site request forgeries. Cross-site request forgeries are a type of malicious exploit whereby unauthorized commands are performed on behalf of the authenticated user.
Laravel automatically generates a CSRF "token" for each active user session managed by the application. This token is used to verify that the authenticated user is the one actually making the requests to the application. To generate a hidden input field _token containing the CSRF token, you may use the csrf_field helper function
it is becuase you are not passing the security token along with your form data.
please use
{{ Form::open(array('url' => 'foo/bar')) }}
........
........
{{ Form::close() }}
Laravel provides an easy method of protecting your application from cross-site request forgeries. First, a random token is placed in your user's session. If you use the Form::open method with POST, PUT or DELETE the CSRF token will be added to your forms as a hidden field automatically. Alternatively, if you wish to generate the HTML for the hidden CSRF field, you may use the token method:
echo Form::token();
you can find full documentation in this link http://laravel.com/docs/4.2/html
Related
I'm getting a page expired error (er.419) when I try to login after a previous logout.
I'm working on auth pages for SPA made with Laravel and Vue.js. It works well on first login but after a logout it shows an error submitting the second one login.
I think the issue is the CSRF sent previously and (maybe) expired after logout.
My work flow is this:
login component has hidden form sent as POST method to Laravel API having the csfr-token value from an HTML META TAG set up when app is created by Laravel template:
meta name="login-status" content="{{ Auth::check() }}"
The logout is done by a fetch request in a vue component. So no refresh is done.
Thanks for any suggestion!
From the laravel docs (https://laravel.com/docs/5.8/csrf#csrf-introduction):
Laravel automatically generates a CSRF "token" for each active user session managed by the application. This token is used to verify that the authenticated user is the one actually making the requests to the application.
When you logout, you are invalidating your current session - which means that the csrf token you have cached in your meta becomes invalid.
Solution 1
Refresh the page when you successfully logout, so php can output the active csrf token into your meta tag. For example:
fetch('/api/logout', {
method: 'post'
}).then(() => {
window.location.href = '/login';
});
Solution 2
Consider using the api route middleware group. Doing so will mean the application will not trigger the App\Http\Middleware\VerifyCsrfToken middleware. Bear in mind though that you will no longer have access to the session, so you'll need to look into stateless authentication techniques such as via JWT's.
Laravel themselves even provide a package for authenticating api's. (https://laravel.com/docs/5.8/passport)
I am trying to request an access token from Google do I can access a Google Drive account, to upload files.
I can make a an Auth request ...
<form method="POST" action="https://accounts.google.com/o/oauth2/auth">
<input type="hidden" name="scope" value="[YOUR SCOPE]"/>
<input type="hidden" name="client_id" value="[YOUR CLIENT ID]"/>
<input type="hidden" name="response_type" value="code"/>
<input type="hidden" name="redirect_uri" value="[YOUR RETURN URL]"/>
<input type="hidden" name="access_type" value="offline"/>
<input type="submit"/>
</form>
Why do I need the redirect_uri if I am making an HTTP request to obtain the access token. Wouldn't the token be returned within the response body?
My app does not involve any user interaction so I am not sure why a redirect is even necessary. I don't wish to use an SDK or library, rather I would just like to use HTTP via Postman.
My app does not involve any user interaction
Oauth2 does require user interaction to authenticate to a users account then your going to have to request access from them. A consent screen is displayed and the code is returned to the redirect uri
back to the basics of form submit ( without javascript), the form data will be sent to the uri you set in the action and the page will be redirected to what the server set it to, or page gets "reloaded" with a page that shows the response od the server.
I never tried Google OAuth2, but in general for this case, usually if your form submit is successful, it will redirect to your redirect_uri with the token appended on the uri as hash.
just realized u are using code grant type. so the flow is after this form submit, it will get redirected to Google IDM to authenticate and accpt consent, then redirect to redirect_uri with the auth code appended. then u can get the token by requesting it from the token endpoint with the code you obtained.
Using Laravel 5.5, and Laravel's built-in authentication system.
Confused about the Remember me option, this is my remember view
<div class="col-xs-6">
<div class="checkbox checkbox-primary" style="margin: 0;">
<input id="checkbox-remember" type="checkbox" name="remember" {{ old('remember') ? 'checked' : '' }}>
<label for="checkbox-remember">Remember me</label>
</div>
</div>
When checked, it does add the remember_token token in the User database, so that part works. But it doesn't seem to 'remember' anything? All users whether they have a remember_me token or not can access the website straight away if they close the website/open it again. All users need to re-enter their email/password if they sign out and the remember-me box is not checked whether they have the remember_me token or not.
Tried both the file and the cookie session driver.
Struggling to see what exactly does it remember?
The remember me functionality from Laravel provides an automatic login for users who signed in with the remember me checkbox checked. This way users who closed their browser or killed their session don't have to login again.
Contrary to other websites (or some browsers, for that matter) who remember the credentials and put them in the login for you, Laravel doesn't do that.
As Laravel states in it's documentation:
If you would like to provide "remember me" functionality in your application, you may pass a boolean value as the second argument to the attempt method, which will keep the user authenticated indefinitely, or until they manually logout.
Until now I have only used my Laravel app as a backend API to my mobile app. The user logs in and get a token that then is stored on the device, then the device use that basic http token on each request to my backend API.
But now I am building a web based version of my app. I want to send a POST update in my page using axios and vue, but I am not sure how I should do this since my route is protected by auth.
Should I do something like this?:
<your-component :auth_user="{{auth()->user()->api_token}}"></your-component>
Or simply create a meta:
<meta name="token" id="token" value="{{ auth()->check() ? auth()->user()->api_token : null }}">
This way my component gets my users api_token which can later be used in axsios when I send a post request using a basic http auth.
Or what is the common way to talk to a protected API using axios?
thanks
Laravel have a good package for API authentication called Passport
, so after configured, it create the routes for require and return the token. To request it's http://{domain}/oauth/token.
When the user try to log in, Vue must send a post request with axios passing the user data. If the user have access, the token it's returned.
To protect your routes you can use middleware('auth:api'). Passport uses this middleware to validate the token.
ie:
<script>
userData = {
...
},
axios.post('http://{domain}/oauth/token', userData) {
.then(function (response) {
console.log(response.access_token)
... redirect to dashboard or something else
}
}
...
</script>
As you may know, the token has to be passed in every client request, and a way to do this is passing the token in the HTTP request header. Fortunately Passport already do this for you.
Hope it helps.
I redirect a page from web form page(profile.aspx) to MVC view (signin.aspx). In MVC controller, I have [ValidateAntiForgeryToken] to get token information, but when I submit MVC view, I get 'a required anti-forgery token was not supplied or was invalid' message. If I remove [ValidateAntiForgeryToken], there is no more error message, but I lose my token information.
I do need all those token information for validation. So how can I fix this kind of issue?
Thanks.
In your view, where you declare <form> you need to use #Html.AntiForgeryToken() helper.
#using (Html.BeginForm()) {
Html.AntiForgeryToken()
// The rest of your code
<div class="something">
#Html.DisplayFor(m => m.Whatever)
</div>
// etc...
}
This will pass anti-forgery token back to your controller.
UPDATE: The problem that you have is that you are performing redirection. WHen you do this all the values are lost. What is unclear is why you do the redirect from one page to another. Normally in MVC if user is not authenticated or session expires there will be a redirect to the login.aspx page. If your Signin.aspx is in AccountController then both Signing.aspx and AccountController should be marked for anti-forgery. However, if a user is in Signin.aspx, then internally you just call return RedirectToAction("Profile", "WhateverController"); you information will be lost and WhateverController will fail because Profile action does not receive anti-forgery information.
Your sign-in process should do something, redirect to HTTP GET version of Profile, have user complete the form entry and submit it to HTTP POST version of Profile. THis way your data will be kept and anti-forgery token will arrive successfully.