-
Notifications
You must be signed in to change notification settings - Fork 24k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Include CSRF middleware in base install for easy override / whitelist.
This makes it easy to skip CSRF verification for things like web hooks and such from GitHub / Stripe.
- Loading branch information
1 parent
9b9c12f
commit c3e3d9d
Showing
2 changed files
with
21 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,20 @@ | ||
<?php namespace App\Http\Middleware; | ||
|
||
use Closure; | ||
use Illuminate\Foundation\Http\Middleware\VerifyCsrfToken as BaseVerifier; | ||
|
||
class VerifyCsrfToken extends BaseVerifier { | ||
|
||
/** | ||
* Handle an incoming request. | ||
* | ||
* @param \Illuminate\Http\Request $request | ||
* @param \Closure $next | ||
* @return mixed | ||
*/ | ||
public function handle($request, Closure $next) | ||
{ | ||
return parent::handle($request, $next); | ||
} | ||
|
||
} |
c3e3d9d
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Would it be better to move this to route middleware?
c3e3d9d
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@djtarazona Nahh. It makes it easier to just use Input::get when you want CSRF protection, and Request::get for the other ones.
c3e3d9d
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@rweas I'm confused. How is this intended to work?
c3e3d9d
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@luscadigital As I understand it, Input::get will do CSRF, but Request::get won't. So you can use either one whenever you need it.
c3e3d9d
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@djtarazona The idea is that most apps will have require CSRF for everything other than whitelisted routes and/or requesting applications. So CSRF is default so you don't leave random vulnerable routes.
@rweas that's not what is happening, the CSRF filter will run on any request that isn't HTTP GET.
This change just allows you to add conditionals for when you don't want CSRF to run (ie. if the requesting app is from a whitelisted IP address).
c3e3d9d
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@rtablada You're probably right, I'm not really an expert. This sounds like a really good idea thanks!