Testing Protected Routes: A Complete Walkthrough
When testing protected routes, we're essentially going through a security checkpoint process. Just as you might need to show your ID and ticket at different points when entering a secure venue, we need to properly set up our request with the right credentials and formatting. Let's walk through this process step by step.
Step 1: Obtaining Your CSRF Token
Before we can make any protected requests, we need to get our security token. Think of this like getting your entry wristband at an event.
Getting the Token:
First, create a new GET request in Postman:
Method: GET
URL: http://localhost:8000/api/csrf/restore
After sending this request, you'll receive a response that includes:
{
"XSRF-Token": "your-token-value-here"
}
This token will also be automatically saved as a cookie in Postman. You'll need both the token value and the cookie for your protected requests to work properly.
Step 2: Setting Up Your Protected Request
Now that we have our token, we can set up our protected request. This is a multi-step process that requires careful attention to detail.
2.1 Creating the New Request
In Postman, create a new request with these basic settings:
Method: POST
URL: http://localhost:8000/api/your-protected-route
2.2 Setting Up Headers
In the Headers tab, you need to add two crucial headers:
Content-Type: application/json
XSRF-TOKEN: your-token-value-here // Copy this from the previous response
Important: The XSRF-TOKEN header value must match exactly with the token you received. Even a single character difference will cause the request to fail.
2.3 Configuring the Request Body
In the Body tab of Postman:
1. Select "raw" as the body type
2. Choose "JSON" from the dropdown
3. Enter your request data:
{
"your": "data",
"goes": "here"
}
Step 3: Testing the Request
Now that everything is set up, we can test our protected route. However, there are several things to verify both before and after sending the request.
Pre-Request Checklist
Before clicking Send, verify:
1. Your token is not expired (tokens typically last for the duration of your session)
2. The XSRF-TOKEN header matches exactly with the token you received
3. Your JSON body is properly formatted
4. The Content-Type header is set to application/json
Understanding the Response
After sending the request, you should examine:
1. Status Code:
200 OK: Success
401 Unauthorized: Token missing or invalid
403 Forbidden: Token validation failed
2. Response Body:
// Successful response example:
{
"status": "success",
"data": {
// Your response data here
}
}
// Error response example:
{
"status": "error",
"message": "Invalid CSRF token"
}
Common Issues and Solutions
1. Invalid Token Errors
If you receive a 403 Forbidden response:
A. Get a fresh token by calling the /api/csrf/restore endpoint again
B. Make sure you're copying the entire token value without any extra spaces
C. Verify the token cookie is present in Postman's cookie manager
2. Request Format Issues
If you receive a 400 Bad Request:
A. Double-check your JSON syntax in the request body
B. Verify the Content-Type header is set correctly
C. Make sure all required fields are included in your request
3. Connection Issues
If your request isn't reaching the server:
A. Verify your server is running
B. Check the URL for typos
C. Ensure you're using the correct port number
Best Practices for Testing Protected Routes
To ensure reliable testing:
1. Create a Postman collection to save your requests and make testing repeatable
2. Use environment variables in Postman to store your base URL and reusable values
3. Test both successful and failed scenarios to ensure proper error handling
4. Document any special requirements or steps in your Postman collection
5. Regularly clear your cookies in Postman to ensure you're testing with fresh sessions