Is there a way to exclude a route from CSRF protec

2019-06-19 08:26发布

站内问答 / PHP
1015 2 6

I am aware of the $except property of the VerifyCsrfToken middleware (app/Http/Middleware/VerifyCsrfToken.php) but I am looking for a way to do something similar from my package (so the users who install it don't have to modify their VerifyCsrfToken.php for my route to work).

I am able to define routes on my package but I have no idea how to exclude one (or more) of them from the default middleware. I have tried extending Illuminate\Foundation\Http\Middleware\VerifyCsrfToken on my own package with no luck.

2条回答
混吃等死
2楼-- · 2019-06-19 08:51

No, there is not. Middleware is always executed when provided in the $middleware property of your app/Http/Kernel.php class.

This is a good thing. You want to give the developers full control on whether or not they want to enable security checks in their application.

If you really need an exception on the route, you can simply ask to manually add the exception to the VerifyCsrfToken class.

The $exceptarray in the VerifyCsrfToken class is in no way accessible by the Service Container as far as I know. Even if you could find a way to create an instance of the middleware, the Kernel will just create a new instance of the middleware classes. Because the list of exceptions isn't static, it is impossible to change this.

查看更多
0人赞 添加讨论(0) 举报
劫难
3楼-- · 2019-06-19 08:52

Yes, it's actually pretty simple and also covered in the docs located here, but for simplicity here's the answer which is provided for your reference:

    <?php

namespace App\Http\Middleware;

use Illuminate\Foundation\Http\Middleware\VerifyCsrfToken as BaseVerifier;

class VerifyCsrfToken extends BaseVerifier
{
    /**
     * The URIs that should be excluded from CSRF verification.
     *
     * @var array
     */
    protected $except = [
        'stripe/*',
    ];
}
查看更多
0人赞 添加讨论(0) 举报
登录 后发表回答
相关问题
查看全部
相关文章
查看全部
收藏的人(6)