school-api route prefix & CSRF convention

Proje: Okul Platform · Hub: Okul Platform — Conventions

school-api routing & CSRF convention

Gotcha

school-api route names (school-api.*) resolve to URLs under /api/*, not /school-api/*. The prefix/name divergence lives in app/Providers/RouteServiceProvider.php::mapApiRoutes:

Route::prefix('api')->middleware('school-api')->as('school-api.')->group(base_path('routes/school-api.php'));

Two groups share /api/*: routes/api.php (checkToken middleware, \Api namespace) and routes/school-api.php (school-api middleware, \SchoolApi namespace). Laravel resolves by first match.

CSRF

The school-api middleware stack includes VerifyCsrfToken. Tokens are accepted (in order) via:

1. X-XSRF-TOKEN header (encrypted)
2. _token body param
3. csrftoken header (plain) ← codebase convention, used by all existing AJAX
4. XSRF-TOKEN cookie

_csrfToken global is injected in every layout (frontend/layouts/master, mobile/layouts/master, etc.) via {{ csrf_token() }}.

When calling school-api from FE AJAX

• URL: {{ route('school-api.xxx') }} → generates /api/xxx
• Headers: {'csrftoken': _csrfToken} (not X-CSRF-TOKEN — that works too but convention is lowercase csrftoken)
• Include _token: _csrfToken in body as belt-and-suspenders

See app/Http/Middleware/VerifyCsrfToken.php::getTokenFromRequest.

Related

• 2026-04-14-otp-value-field-validation — auth endpoint’leri buradan geçiyor