Skip to content
Permalink
Browse files

Include CSRF middleware in base install for easy override / whitelist.

This makes it easy to skip CSRF verification for things like web hooks
and such from GitHub / Stripe.
  • Loading branch information...
taylorotwell committed Jan 27, 2015
1 parent 9b9c12f commit c3e3d9dc4b8a4f6f52f1f89233f2a1d19011fc24
Showing with 21 additions and 1 deletion.
  1. +1 −1 app/Http/Kernel.php
  2. +20 −0 app/Http/Middleware/VerifyCsrfToken.php
@@ -15,7 +15,7 @@ class Kernel extends HttpKernel {
'Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse',
'Illuminate\Session\Middleware\StartSession',
'Illuminate\View\Middleware\ShareErrorsFromSession',
'Illuminate\Foundation\Http\Middleware\VerifyCsrfToken',
'App\Http\Middleware\VerifyCsrfToken',
];
/**
@@ -0,0 +1,20 @@
<?php namespace App\Http\Middleware;
use Closure;
use Illuminate\Foundation\Http\Middleware\VerifyCsrfToken as BaseVerifier;
class VerifyCsrfToken extends BaseVerifier {
/**
* Handle an incoming request.
*
* @param \Illuminate\Http\Request $request
* @param \Closure $next
* @return mixed
*/
public function handle($request, Closure $next)
{
return parent::handle($request, $next);
}
}

6 comments on commit c3e3d9d

@djtarazona

This comment has been minimized.

Copy link

djtarazona replied Jan 27, 2015

Would it be better to move this to route middleware?

@rweas

This comment has been minimized.

Copy link

rweas replied Jan 27, 2015

@djtarazona Nahh. It makes it easier to just use Input::get when you want CSRF protection, and Request::get for the other ones.

@luscadigital

This comment has been minimized.

Copy link

luscadigital replied Feb 2, 2015

@rweas I'm confused. How is this intended to work?

@rweas

This comment has been minimized.

Copy link

rweas replied Feb 2, 2015

@luscadigital As I understand it, Input::get will do CSRF, but Request::get won't. So you can use either one whenever you need it.

@rtablada

This comment has been minimized.

Copy link

rtablada replied Feb 2, 2015

@djtarazona The idea is that most apps will have require CSRF for everything other than whitelisted routes and/or requesting applications. So CSRF is default so you don't leave random vulnerable routes.


@rweas that's not what is happening, the CSRF filter will run on any request that isn't HTTP GET.

This change just allows you to add conditionals for when you don't want CSRF to run (ie. if the requesting app is from a whitelisted IP address).

@rweas

This comment has been minimized.

Copy link

rweas replied Feb 3, 2015

@rtablada You're probably right, I'm not really an expert. This sounds like a really good idea thanks!

Please sign in to comment.
You can’t perform that action at this time.