Is there a way to exclude a route from CSRF protec

2019-06-19 08:55发布

问题:

I am aware of the $except property of the VerifyCsrfToken middleware (app/Http/Middleware/VerifyCsrfToken.php) but I am looking for a way to do something similar from my package (so the users who install it don't have to modify their VerifyCsrfToken.php for my route to work).

I am able to define routes on my package but I have no idea how to exclude one (or more) of them from the default middleware. I have tried extending Illuminate\Foundation\Http\Middleware\VerifyCsrfToken on my own package with no luck.

回答1:

No, there is not. Middleware is always executed when provided in the $middleware property of your app/Http/Kernel.php class.

This is a good thing. You want to give the developers full control on whether or not they want to enable security checks in their application.

If you really need an exception on the route, you can simply ask to manually add the exception to the VerifyCsrfToken class.

The $exceptarray in the VerifyCsrfToken class is in no way accessible by the Service Container as far as I know. Even if you could find a way to create an instance of the middleware, the Kernel will just create a new instance of the middleware classes. Because the list of exceptions isn't static, it is impossible to change this.



回答2:

Yes, it's actually pretty simple and also covered in the docs located here, but for simplicity here's the answer which is provided for your reference:

    <?php

namespace App\Http\Middleware;

use Illuminate\Foundation\Http\Middleware\VerifyCsrfToken as BaseVerifier;

class VerifyCsrfToken extends BaseVerifier
{
    /**
     * The URIs that should be excluded from CSRF verification.
     *
     * @var array
     */
    protected $except = [
        'stripe/*',
    ];
}