I am aware of the $except
property of the VerifyCsrfToken
middleware (app/Http/Middleware/VerifyCsrfToken.php
) but I am looking for a way to do something similar from my package (so the users who install it don't have to modify their VerifyCsrfToken.php
for my route to work).
I am able to define routes on my package but I have no idea how to exclude one (or more) of them from the default middleware. I have tried extending Illuminate\Foundation\Http\Middleware\VerifyCsrfToken
on my own package with no luck.
No, there is not. Middleware is always executed when provided in the $middleware
property of your app/Http/Kernel.php
class.
This is a good thing. You want to give the developers full control on whether or not they want to enable security checks in their application.
If you really need an exception on the route, you can simply ask to manually add the exception to the VerifyCsrfToken
class.
The $except
array in the VerifyCsrfToken
class is in no way accessible by the Service Container as far as I know. Even if you could find a way to create an instance of the middleware, the Kernel will just create a new instance of the middleware classes. Because the list of exceptions isn't static, it is impossible to change this.
Yes, it's actually pretty simple and also covered in the docs located here, but for simplicity here's the answer which is provided for your reference:
<?php
namespace App\Http\Middleware;
use Illuminate\Foundation\Http\Middleware\VerifyCsrfToken as BaseVerifier;
class VerifyCsrfToken extends BaseVerifier
{
/**
* The URIs that should be excluded from CSRF verification.
*
* @var array
*/
protected $except = [
'stripe/*',
];
}