How do I handle CSRF tokens when integrating a Laravel API with a Node.js client

Step 1: Configure Laravel for CSRF Protection

1. Enable CSRF Protection:
- In your Laravel application, ensure that CSRF protection is enabled by setting `protect` to `true` in the `VerifyCsrfToken` middleware:

php
     protected $except = [
         'stripe/*',
         'https://example.com/foo/bar',
         'https://example.com/foo/*',
     ];
     

2. Generate CSRF Tokens:
- Laravel generates a CSRF token for each active user session. You can access this token via the `csrf_token` helper function:

php
     $token = csrf_token();
     

Step 2: Send CSRF Tokens with Requests

1. Include CSRF Tokens in Requests:
- When making requests to your Laravel API from your Node.js client, include the CSRF token in the request headers. For example, using Axios:

javascript
     axios.get('/api/items', {
         headers: {
             'X-CSRF-TOKEN': $('meta[name="csrf-token"]').attr('content'),
         },
     });
     

2. Use Axios with Credentials:
- Ensure that Axios sends cookies with each request by setting `withCredentials` to `true`:

javascript
     axios.get('/api/items', {
         headers: {
             'X-CSRF-TOKEN': $('meta[name="csrf-token"]').attr('content'),
         },
         withCredentials: true,
     });
     

Step 3: Validate CSRF Tokens

1. Validate CSRF Tokens in Laravel:
- In your Laravel API controller, validate the CSRF token in the request headers:

php
     public function index(Request $request)
     {
         if (!$request->hasValidCsrfToken()) {
             return response()->json(['error' => 'CSRF token mismatch'], 419);
         }
         // Process the request
     }
     

Conclusion

By following these steps, you can effectively handle CSRF tokens when integrating a Laravel API with a Node.js client. This ensures that your application remains secure and protected against cross-site request forgery attacks.