I've been trying to wrap my head around this one for a while now, but can't seem to figure out what the problem is. I've manually created a login page in Laravel 5.2.*, which I've done successfully in the past but for some reason this time it's not working... Here is a breakdown of the important parts of my code:
Route::group(['middleware' => ['web']], function () {
// Authentication Routes...
Route::get('auth/login', 'Auth\AuthController@getLogin');
Route::post('auth/login', 'Auth\AuthController@postLogin');
Route::get('auth/logout', 'Auth\AuthController@getLogout');
....
});
<!DOCTYPE html>
<html lang="en">
<head>
<meta name="csrf-token" content="{{ csrf_token() }}" />
....
</head>
<body>
<form action="{{ url( '/auth/login' ) }}" class="clearfix" id="login" method="post" novalidate>
{!! csrf_field() !!}
@if (count($errors) > 0)
<div class="show validation-summary">
<strong>Whoops!</strong> There were some problems with your input.<br />
<ul>
@foreach ($errors->all() as $error)
<li>{{ $error }}</li>
@endforeach
</ul>
</div>
@else
<div class="validation-summary">
<ul>
</ul>
</div>
@endif
<label class="grey" for="email"><b>Username: </b></label>
<input class="field" type="text" name="email" id="email" value="{{ old('email') }}" size="23" />
<label class="grey" for="password"><b>Password:</b></label>
<input class="field" type="password" name="password" id="password" size="23" />
<button class="bt_login" name="submit" type="submit">
<i class="fa fa-btn fa-sign-in"></i> Login
</button>
</form>
....
</body>
</html>
Here is the postLogin method from the AuthenticatesUsers trait:
public function postLogin(Request $request)
{
return $this->login($request);
}
public function login(Request $request)
{
$this->validate($request, [
$this->loginUsername() => 'required', 'password' => 'required',
]);
// If the class is using the ThrottlesLogins trait, we can automatically throttle
// the login attempts for this application. We'll key this by the username and
// the IP address of the client making these requests into this application.
$throttles = $this->isUsingThrottlesLoginsTrait();
if ($throttles && $this->hasTooManyLoginAttempts($request)) {
return $this->sendLockoutResponse($request);
}
$credentials = $this->getCredentials($request);
if (Auth::guard($this->getGuard())->attempt($credentials, $request->has('remember'))) {
return $this->handleUserWasAuthenticated($request, $throttles);
}
// If the login attempt was unsuccessful we will increment the number of attempts
// to login and redirect the user back to the login form. Of course, when this
// user surpasses their maximum number of attempts they will get locked out.
if ($throttles) {
$this->incrementLoginAttempts($request);
}
return $this->sendFailedLoginResponse($request);
}
When clicking on the login button it seems to display the csrf token value and doesn't even hit the postLogin method in the AuthenticatesUsers trait. If you want a live example you can go to http://www.dorothea.co.za/auth/login and click on the Log In sliding panel at the top of the screen, and then click login.
Just to answer my question above, the problem was in the tokensMatch method of the app/Http/Middleware/VerifyCsrfToken.php class. Here is the code that was causing the issue:
echo($request->header('X-CSRF-Token') .' '. $request->input('_token'));
die();
I don't think I made any changes to this file so just be aware if you're using authentication and your version of laravel is 5.2.7.