Ignoring of request headers about laravel-request-docs HOT 15 CLOSED

Well, that is the correct behavior. The API docs are just like any other page. Once you are logged into your domain, the cookies for session etc are set by Laravel. And when the API call is made, the api is able to authenticate the user.

Well in postman i can call the endpoints without setting a cookie/session. I should be able to call the endpoints openly.
Im not using CRSF, im using sanctum token based api calls.

Some endpoints are behind my sanctum auth middleware so i need a bearer auth token to get to these.

from laravel-request-docs.

Hi, thanks for reporting.
Let me have a look.
If I remove adding X-CSRF-TOKEN to headers when it's value is empty, would work for you?

from laravel-request-docs.

Like this: #68

from laravel-request-docs.

This is the request that is not working from the documents. I caught the request in console:

Result:

{"status":500,"success":false,"error":{"code":500,"message":"CSRF token mismatch."}}

curl 'http://localhost/api/auth'
-H 'Accept: application/json, text/plain, /'
-H 'Accept-Language: en-GB,en-US;q=0.9,en;q=0.8'
-H 'Authorization: Bearer'
-H 'Cache-Control: no-cache'
-H 'Connection: keep-alive'
-H 'Content-Type: application/json;charset=UTF-8'
-H 'Cookie: JSESSIONID.2b84989e=node07l6xggrciay8jx7295segy967.node0; JSESSIONID.5353d309=node01l7d23qeq46bnqv7uhe64qtfl2.node0; jenkins-timestamper-offset=-7200000; JSESSIONID.e0139d4a=node01jc68r3nruauq1qryxpvtsuy359.node0; screenResolution=1920x1080; JSESSIONID.c93846e1=node07tt6op3njuqywuwa128iem0p0.node0; JSESSIONID.25ec0c08=node026o0go5nquq1daizxvtuj3552.node0; JSESSIONID.afa366ea=node088cymhiju4gx19jtkaaaaktcn4.node0; JSESSIONID.b2d12f37=node0h6phxoodtlw21892ftjp56vrs0.node0; JSESSIONID.8df212d3=node01a7m3arx63ovt12qkzl4m9z4430.node0; JSESSIONID.9a3073d2=node061k4j5olaxo6lphqxghvnkt70.node0; JSESSIONID.5b57156e=node01nd9y4s0s8zpj19alodss0fy510.node0; JSESSIONID.ed350b34=node01olt5dl2iulbfytkij40v3b6m2.node0; JSESSIONID.d79d91e4=node019bleri6n83s21t63gh4sbqvbr0.node0; XDEBUG_PROFILE=; PHPSESSID=90300e5a16bdf041b4fa3a54453ef9bd; _ga=GA1.1.975793485.1650558215'
-H 'Origin: http://localhost'
-H 'Pragma: no-cache'
-H 'Referer: http://localhost/request_doc'
-H 'Sec-Fetch-Dest: empty'
-H 'Sec-Fetch-Mode: cors'
-H 'Sec-Fetch-Site: same-origin'
-H 'Sec-GPC: 1'
-H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.79 Safari/537.36'
-H 'X-CSRF-TOKEN: '
-H 'X-Request-LRD: lrd'
--data-raw '{"email":"","password":""}'
--compressed

This is working from postman extract:

curl --location --request POST 'http://localhost/api/auth'
--header 'Content-Type: application/json'
--header 'Accept: application/json'
--data-raw '{
"email": "",
"password": ""
}'

from laravel-request-docs.

If i take out

-H 'Origin: http://localhost'
-H 'Referer: http://localhost/request_doc' \

then it works. Wonder if its Cors

from laravel-request-docs.

Interesting. I don't think it is cors issue, but trusthosts or trust proxies issues, which you try to change it inside your project.

class TrustProxies extends Middleware
{
    /**
     * The trusted proxies for this application.
     *
     * @var array|string|null
     */
    protected $proxies = ['127.0.0.1', 'localhost'];

Not sure, I ll try and reproduce on my local

from laravel-request-docs.

Interesting. I don't think it is cors issue, but trusthosts or trust proxies issues, which you try to change it inside your project.

class TrustProxies extends Middleware
{
    /**
     * The trusted proxies for this application.
     *
     * @var array|string|null
     */
    protected $proxies = ['127.0.0.1', 'localhost'];

Not sure, I ll try and reproduce on my local

Ok, not a cors issue.

{
"message": "CSRF token mismatch.",
"exception": "Symfony\Component\HttpKernel\Exception\HttpException",
"file": "/var/www/html/vendor/laravel/framework/src/Illuminate/Foundation/Exceptions/Handler.php",
"line": 357,
"trace": [
{
"file": "/var/www/html/vendor/laravel/framework/src/Illuminate/Foundation/Exceptions/Handler.php",
"line": 331,
"function": "prepareException",
"class": "Illuminate\Foundation\Exceptions\Handler",
"type": "->"
},

This is with the docs. My api works with sanctum

from laravel-request-docs.

I generated the docs again and now its working. very strange. thanks

from laravel-request-docs.

Thanks for the update buddy @jackkitley

from laravel-request-docs.

@kevincobain2000 Happening again.

from laravel-request-docs.

also getting this in console:

I use docker. Not sure if this should resolve somehow?

from laravel-request-docs.

I replicated the issue which is a strange one for the API docs. When you authenticate via the website and get a session and then go back to the api docs and click run then it all works again? very strange.

from laravel-request-docs.

Well, that is the correct behavior. The API docs are just like any other page. Once you are logged into your domain, the cookies for session etc are set by Laravel. And when the API call is made, the api is able to authenticate the user.

from laravel-request-docs.

Just an update. If i modify the verify CSRF middleware to exclude the checks for /api/* then it works. But its still strange that these requests are coming through as web.

from laravel-request-docs.

Fixed in #124

from laravel-request-docs.