how can i check laravel api is access by which android app in laravel

December 18, 2025 in Laravel

how can i check laravel api is access by which domain in laravel

To check which domain is accessing your Laravel API, you should inspect the Origin or Referer HTTP headers sent with the request. This is most effectively done using a custom middleware, as these headers are client-provided and can be spoofed, so a central handling point is best for security and control. 

Method 1: Using a Middleware (Recommended for Access Control)

This method allows you to restrict API access to specific domains and is a common practice for security. 

1. Create a new middleware by running the following Artisan command:bashphp artisan make:middleware CheckApiOrigin
2. Edit the generated middleware file in app/Http/Middleware/CheckApiOrigin.php to read the incoming headers and enforce your policy.phpnamespace App\Http\Middleware; use Closure; use Illuminate\Http\Request; use Symfony\Component\HttpFoundation\Response; class CheckApiOrigin { public function handle(Request $request, Closure $next): Response { // Get the origin header from the request $origin = $request->header('Origin'); // Get the referer header as a fallback (for non-AJAX or older requests) $referer = $request->header('Referer'); $hostFromReferer = $referer ? parse_url($referer, PHP_URL_HOST) : null; // Define your allowed domains $allowedDomains = ['https://your-frontend-domain.com', 'https://another-allowed-domain.com']; // Check if the origin or referer host is in the allowed list if (!in_array($origin, $allowedDomains) && !in_array($hostFromReferer, $allowedDomains)) { // Optional: Log the unauthorized access attempt \Log::warning('Unauthorized API access attempt from: ' . ($origin ?? $hostFromReferer ?? 'Unknown')); return response('Unauthorized access.', 401); } return $next($request); } }
3. Register and apply the middleware to your API routes.
   • For all API routes, add the middleware to the api middleware group in bootstrap/app.php (or app/Http/Kernel.php in older Laravel versions):php->withMiddleware(function (Middleware $middleware) { // ... other middleware $middleware->api([ // ... other api middleware \App\Http\Middleware\CheckApiOrigin::class, ]); })
   • Alternatively, apply it to specific routes or route groups in routes/api.php:phpuse App\Http\Middleware\CheckApiOrigin; Route::middleware([CheckApiOrigin::class])->group(function () { // Your protected API routes here });  

Method 2: Accessing Headers Directly in a Controller

You can also access the headers within a controller method for ad-hoc checks, though middleware is cleaner for global policy enforcement.

php

use Illuminate\Http\Request;

class ApiController extends Controller
{
    public function someApiEndpoint(Request $request)
    {
        $origin = $request->header('Origin'); // Get the 'Origin' header value
        $referer = $request->header('Referer'); // Get the 'Referer' header value
        
        // Use the values as needed
        if ($origin === 'https://allowed-domain.com') {
            // Process the request
        } else {
            // Deny access
            return response('Unauthorized', 401);
        }
    }
}

Security Considerations

• Header Spoofing: Remember that the Origin and Referer headers are sent by the client and can be manually faked with tools like cURL.
• API Keys/Tokens: For robust security, domain checking should be used in conjunction with a more secure authentication mechanism like API tokens, OAuth2 (using Laravel Passport or Laravel Sanctum), or a combination of both.

October 15, 2025 in Laravel

How to store user activity in Laravel into database table

How to store user activity in Laravel into database table, below code is fixed with UTF8 error

<?php

namespace App\Http\Middleware;

use Closure;
use Illuminate\Http\Request;
use App\Models\CalActivity;
use Session;
use Auth;
use Cache;
use App\Models\User;

class UserActivity
{
    /**
     * Handle an incoming request.
     *
     * @param  \Illuminate\Http\Request  $request
     * @param  \Closure  $next
     * @return mixed
     */
    public function handle(Request $request, Closure $next)
    {  
        $success = [];    	
        $pattern = array();
    $pattern[0] = '/https:\/\//';
    $pattern[1] = '/shubhcalendar.com\//';
    $pattern[2] = '/http:\/\//';
    $pattern[3] = '/www.shubhcalendar.com\//'; 
    $pattern[4] = '/www.\//';
    $id = 0;
    
            $ip = $request->ip();     
            $page = preg_replace($pattern, '', htmlentities($request->url()));//$request->url();//$request->fullUrl();//$request;//$request->all();
            $encoding = mb_detect_encoding($page, ['UTF-8', 'Windows-1251', 'ISO-8859-1', 'ASCII'], true);

            if ($encoding === false) {
                //echo "Unknown or invalid encoding";
                 $page = "Unknown or invalid encoding";
                    } else {
                //echo "Detected encoding: " . $encoding;
                }
               if (strlen($page) > 200) {
                    $page = substr($page, 0, 200);
                }
            $expiresAt = now()->addMinutes(2); /* keep online for 2 min */
            $success['user_id'] = Auth::guard('api')->check() ? Auth::guard('api')->user()->id : 0;
            //if (Auth::check()) {
            $category = $request->method();
            if (Auth::guard('api')->check() ) {
            $success['user_id'] = Auth::guard('api')->check() ? Auth::guard('api')->user()->id : 0;
            Cache::put('user-is-online-' . Auth::guard('api')->user()->id, true, $expiresAt);  
            $id = Auth::guard('api')->user()->id;
            /* last seen */
            User::where('id', Auth::guard('api')->user()->id)->update(['last_seen' => now(),'page'=>htmlentities($page), 'ip'=>$ip]);
            $category = 'api';
        }
        if (Auth::guard('web')->check()) {
            $success['user_id'] = Auth::guard('web')->check() ? Auth::guard('web')->user()->id : 0;
            Cache::put('user-is-online-' . Auth::guard('web')->user()->id, true, $expiresAt);  
            $id = Auth::guard('web')->user()->id;
            /* last seen */
            User::where('id', Auth::guard('web')->user()->id)->update(['last_seen' => now(),'page'=>htmlentities($page), 'ip'=>$ip]);
            $category = 'web';
        }

    	$success['session_id'] = Session::getId();
    	$success['page'] = $page;
    	$success['category'] =  $category ;
    	$success['ip'] = $ip;
        $success['time_value'] = time();
    	$success['agent'] = substr($request->header('user-agent'),0,255);

        if(1){//$id == '85618'
         CalActivity::create($success);    
        }  
         
    return $next($request);
    }
}

September 3, 2025 in Laravel

csrf token in ajax laravel

To handle CSRF tokens in AJAX requests within a Laravel application, the token needs to be included in the request. Laravel’s built-in VerifyCsrfToken middleware automatically validates this token.

1. Include the CSRF token in a meta tag:

Add a meta tag in your Blade layout to make the CSRF token accessible to your JavaScript:

Code

<meta name="csrf-token" content="{{ csrf_token() }}">

2. Configure AJAX requests to include the token:

a. Using jQuery:

You can configure jQuery’s ajaxSetup to automatically include the CSRF token in the headers of all subsequent AJAX requests:

JavaScript

$.ajaxSetup({
    headers: {
        'X-CSRF-TOKEN': $('meta[name="csrf-token"]').attr('content')
    }
});

b. Manually for specific AJAX calls:

Alternatively, you can manually include the token in the data or headers of individual AJAX requests:

JavaScript

$.ajax({
    url: '/your-endpoint',
    type: 'POST',
    data: {
        _token: $('meta[name="csrf-token"]').attr('content'),
        // other data
    },
    // or in headers:
    // headers: {
    //     'X-CSRF-TOKEN': $('meta[name="csrf-token"]').attr('content')
    // },
    success: function(response) {
        // handle success
    },
    error: function(error) {
        // handle error
    }
});

c. Using Axios (or other JavaScript frameworks):

Similar to jQuery, you can configure Axios to include the token in the request headers:

JavaScript

axios.defaults.headers.common['X-CSRF-TOKEN'] = document.querySelector('meta[name="csrf-token"]').getAttribute('content');

Explanation:

• Laravel’s csrf_token() helper generates a unique token for each user session.
• By embedding this token in a meta tag, JavaScript can access it.
• Including the token in the X-CSRF-TOKEN header (or as _token in the request body for form-like submissions) allows Laravel’s VerifyCsrfToken middleware to validate the request, ensuring it originates from a legitimate source and preventing Cross-Site Request Forgery attacks.

September 3, 2025 in Laravel

419 unknown status Laravel 10

The “419 unknown status,” often displayed as “419 Page Expired,” is an HTTP status code primarily encountered in web applications, particularly those built with the Laravel framework. This error signifies a Cross-Site Request Forgery (CSRF) token mismatch, indicating that the client’s session has expired or the submitted form lacks a valid CSRF token.

Causes of the 419 Error:

• Missing CSRF Token:When submitting a form in a Laravel application, a hidden CSRF token is expected to be included for security purposes. If this token is absent, the 419 error is triggered.
• Expired CSRF Token:CSRF tokens have a limited lifespan. If a user leaves a page with a form open for an extended period, the token may expire, leading to the 419 error upon form submission.
• Session Inactivity:The error can also occur due to general session expiration caused by user inactivity, requiring re-authentication to access protected resources. 

Common Solutions:

• Include @csrf Directive:For forms in Laravel Blade templates, ensure the @csrf directive is included within the <form> tags to automatically generate and include the CSRF token.
• Refresh the Page:If the error is due to an expired token, refreshing the page will generate a new token and potentially resolve the issue.
• Clear Browser Cache and Cookies:Outdated cache or corrupted cookies can sometimes interfere with session management, leading to CSRF token issues. Clearing them can help.
• Verify Session Configuration:Ensure the session settings in the application’s configuration are correctly defined, including the session lifetime.
• Handle CSRF in AJAX Requests:For AJAX requests, manually include the CSRF token in the request headers or data payload to prevent the 419 error.

August 26, 2025 in Laravel

storage logs Laravel

Laravel stores its log files within the storage/logs directory of your application. By default, a single log file named laravel.log is created within this directory.

Key aspects of Laravel’s logging:

• Monolog Integration:Laravel’s logging facilities are built on top of the powerful Monolog library, providing a flexible and robust logging solution.
• Log Channels:Laravel utilizes “channels” to define how log information is written. Examples include:
  • Single: Writes all logs to a single file (laravel.log).
  • Daily: Creates a new log file for each day, preventing a single file from becoming excessively large.
  • Stack: Aggregates multiple log channels into one, allowing logs to be sent to various destinations simultaneously (e.g., file and Slack).
• Log Levels:Monolog supports various log severity levels (debug, info, notice, warning, error, critical, alert), allowing you to categorize and filter log messages based on their importance.
• Configuration:The config/logging.php file controls all logging behavior, including channel definitions and their respective options. You can configure the default log channel, specify the minimum log level for different environments, and customize how log messages are handled.
• Writing to Logs:You can write messages to the log using the Log facade, utilizing methods corresponding to the different log levels (e.g., Log::info(), Log::error()). Contextual data can also be passed as an array to these methods.

Example of writing to the log:

Code

<?php

use Illuminate\Support\Facades\Log;

Log::info('This is an informational message.');
Log::warning('Something might be going wrong here.');
Log::error('An error occurred during processing.', ['user_id' => 123, 'request_id'

August 14, 2025 in Laravel

declare array in laravel blade shuffle it and traverse it

In Laravel Blade, you can declare an array directly in the view, shuffle it using Laravel’s collect() helper (or PHP’s native shuffle()), and then loop through it with @foreach.

Here’s an example:

@php
    // Declare the array
    $items = ['Apple', 'Banana', 'Cherry', 'Mango', 'Orange'];

    // Shuffle using Laravel collection helper
    $items = collect($items)->shuffle();
@endphp

<ul>
    @foreach($items as $item)
        <li>{{ $item }}</li>
    @endforeach
</ul>

Alternative (using native PHP shuffle):

@php
    $items = ['Apple', 'Banana', 'Cherry', 'Mango', 'Orange'];
    shuffle($items); // modifies array in place
@endphp

<ul>
    @foreach($items as $item)
        <li>{{ $item }}</li>
    @endforeach
</ul>

✅ Tips:

• collect($array)->shuffle() is nice if you’re already using Laravel collections, and it returns a new shuffled collection without modifying the original.
• shuffle($array) changes the original array directly.