Skip to content
Permalink
Browse files
Include CSRF middleware in base install for easy override / whitelist.
This makes it easy to skip CSRF verification for things like web hooks
and such from GitHub / Stripe.
  • Loading branch information
taylorotwell committed Jan 27, 2015
1 parent 9b9c12f commit c3e3d9dc4b8a4f6f52f1f89233f2a1d19011fc24
Showing with 21 additions and 1 deletion.
  1. +1 −1 app/Http/Kernel.php
  2. +20 −0 app/Http/Middleware/VerifyCsrfToken.php
@@ -15,7 +15,7 @@ class Kernel extends HttpKernel {
'Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse',
'Illuminate\Session\Middleware\StartSession',
'Illuminate\View\Middleware\ShareErrorsFromSession',
'Illuminate\Foundation\Http\Middleware\VerifyCsrfToken',
'App\Http\Middleware\VerifyCsrfToken',
];

/**
@@ -0,0 +1,20 @@
<?php namespace App\Http\Middleware;

use Closure;
use Illuminate\Foundation\Http\Middleware\VerifyCsrfToken as BaseVerifier;

class VerifyCsrfToken extends BaseVerifier {

/**
* Handle an incoming request.
*
* @param \Illuminate\Http\Request $request
* @param \Closure $next
* @return mixed
*/
public function handle($request, Closure $next)
{
return parent::handle($request, $next);
}

}

6 comments on commit c3e3d9d

@djtarazona

This comment has been minimized.

Copy link

@djtarazona djtarazona replied Jan 27, 2015

Would it be better to move this to route middleware?

@russweas

This comment has been minimized.

Copy link

@russweas russweas replied Jan 27, 2015

@djtarazona Nahh. It makes it easier to just use Input::get when you want CSRF protection, and Request::get for the other ones.

@luscadigital

This comment has been minimized.

Copy link

@luscadigital luscadigital replied Feb 2, 2015

@rweas I'm confused. How is this intended to work?

@russweas

This comment has been minimized.

Copy link

@russweas russweas replied Feb 2, 2015

@luscadigital As I understand it, Input::get will do CSRF, but Request::get won't. So you can use either one whenever you need it.

@rtablada

This comment has been minimized.

Copy link

@rtablada rtablada replied Feb 2, 2015

@djtarazona The idea is that most apps will have require CSRF for everything other than whitelisted routes and/or requesting applications. So CSRF is default so you don't leave random vulnerable routes.


@rweas that's not what is happening, the CSRF filter will run on any request that isn't HTTP GET.

This change just allows you to add conditionals for when you don't want CSRF to run (ie. if the requesting app is from a whitelisted IP address).

@russweas

This comment has been minimized.

Copy link

@russweas russweas replied Feb 3, 2015

@rtablada You're probably right, I'm not really an expert. This sounds like a really good idea thanks!

Please sign in to comment.