laravel-request-docs

laravel-request-docs copied to clipboard

If i use the url and try authenticate via the docs i always get a error as it was the CSRF token which is not needed for the sanctum api request.

If i export to postman and click the button to post to auth then i get the response i am looking for..

If i try postman i get the correct response:

Hi, thanks for reporting. Let me have a look. If I remove adding X-CSRF-TOKEN to headers when it's value is empty, would work for you?

Like this: https://github.com/rakutentech/laravel-request-docs/pull/68

This is the request that is not working from the documents. I caught the request in console:

Result:

{"status":500,"success":false,"error":{"code":500,"message":"CSRF token mismatch."}}

curl 'http://localhost/api/auth'
-H 'Accept: application/json, text/plain, /'
-H 'Accept-Language: en-GB,en-US;q=0.9,en;q=0.8'
-H 'Authorization: Bearer'
-H 'Cache-Control: no-cache'
-H 'Connection: keep-alive'
-H 'Content-Type: application/json;charset=UTF-8'
-H 'Cookie: JSESSIONID.2b84989e=node07l6xggrciay8jx7295segy967.node0; JSESSIONID.5353d309=node01l7d23qeq46bnqv7uhe64qtfl2.node0; jenkins-timestamper-offset=-7200000; JSESSIONID.e0139d4a=node01jc68r3nruauq1qryxpvtsuy359.node0; screenResolution=1920x1080; JSESSIONID.c93846e1=node07tt6op3njuqywuwa128iem0p0.node0; JSESSIONID.25ec0c08=node026o0go5nquq1daizxvtuj3552.node0; JSESSIONID.afa366ea=node088cymhiju4gx19jtkaaaaktcn4.node0; JSESSIONID.b2d12f37=node0h6phxoodtlw21892ftjp56vrs0.node0; JSESSIONID.8df212d3=node01a7m3arx63ovt12qkzl4m9z4430.node0; JSESSIONID.9a3073d2=node061k4j5olaxo6lphqxghvnkt70.node0; JSESSIONID.5b57156e=node01nd9y4s0s8zpj19alodss0fy510.node0; JSESSIONID.ed350b34=node01olt5dl2iulbfytkij40v3b6m2.node0; JSESSIONID.d79d91e4=node019bleri6n83s21t63gh4sbqvbr0.node0; XDEBUG_PROFILE=; PHPSESSID=90300e5a16bdf041b4fa3a54453ef9bd; _ga=GA1.1.975793485.1650558215'
-H 'Origin: http://localhost'
-H 'Pragma: no-cache'
-H 'Referer: http://localhost/request_doc'
-H 'Sec-Fetch-Dest: empty'
-H 'Sec-Fetch-Mode: cors'
-H 'Sec-Fetch-Site: same-origin'
-H 'Sec-GPC: 1'
-H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.79 Safari/537.36'
-H 'X-CSRF-TOKEN: '
-H 'X-Request-LRD: lrd'
--data-raw '{"email":"","password":""}'
--compressed

This is working from postman extract:

curl --location --request POST 'http://localhost/api/auth'
--header 'Content-Type: application/json'
--header 'Accept: application/json'
--data-raw '{ "email": "", "password": "" }'

If i take out

-H 'Origin: http://localhost'
-H 'Referer: http://localhost/request_doc' \

then it works. Wonder if its Cors

Interesting. I don't think it is cors issue, but trusthosts or trust proxies issues, which you try to change it inside your project.

class TrustProxies extends Middleware
{
    /**
     * The trusted proxies for this application.
     *
     * @var array|string|null
     */
    protected $proxies = ['127.0.0.1', 'localhost'];

Not sure, I ll try and reproduce on my local

Interesting. I don't think it is cors issue, but trusthosts or trust proxies issues, which you try to change it inside your project.

class TrustProxies extends Middleware
{
    /**
     * The trusted proxies for this application.
     *
     * @var array|string|null
     */
    protected $proxies = ['127.0.0.1', 'localhost'];

Not sure, I ll try and reproduce on my local

Ok, not a cors issue.

{ "message": "CSRF token mismatch.", "exception": "Symfony\Component\HttpKernel\Exception\HttpException", "file": "/var/www/html/vendor/laravel/framework/src/Illuminate/Foundation/Exceptions/Handler.php", "line": 357, "trace": [ { "file": "/var/www/html/vendor/laravel/framework/src/Illuminate/Foundation/Exceptions/Handler.php", "line": 331, "function": "prepareException", "class": "Illuminate\Foundation\Exceptions\Handler", "type": "->" },

This is with the docs. My api works with sanctum

I generated the docs again and now its working. very strange. thanks

Thanks for the update buddy @jackkitley

@kevincobain2000 Happening again.

also getting this in console:

I use docker. Not sure if this should resolve somehow?

I replicated the issue which is a strange one for the API docs. When you authenticate via the website and get a session and then go back to the api docs and click run then it all works again? very strange.

Well, that is the correct behavior. The API docs are just like any other page. Once you are logged into your domain, the cookies for session etc are set by Laravel. And when the API call is made, the api is able to authenticate the user.

Well, that is the correct behavior. The API docs are just like any other page. Once you are logged into your domain, the cookies for session etc are set by Laravel. And when the API call is made, the api is able to authenticate the user.

Well in postman i can call the endpoints without setting a cookie/session. I should be able to call the endpoints openly. Im not using CRSF, im using sanctum token based api calls.

Some endpoints are behind my sanctum auth middleware so i need a bearer auth token to get to these.

Just an update. If i modify the verify CSRF middleware to exclude the checks for /api/* then it works. But its still strange that these requests are coming through as web.

Fixed in #124