Skip to content

Commit

Permalink
Include CSRF middleware in base install for easy override / whitelist.
Browse files Browse the repository at this point in the history
This makes it easy to skip CSRF verification for things like web hooks
and such from GitHub / Stripe.
  • Loading branch information
taylorotwell committed Jan 27, 2015
1 parent 9b9c12f commit c3e3d9d
Show file tree
Hide file tree
Showing 2 changed files with 21 additions and 1 deletion.
2 changes: 1 addition & 1 deletion app/Http/Kernel.php
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ class Kernel extends HttpKernel {
'Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse',
'Illuminate\Session\Middleware\StartSession',
'Illuminate\View\Middleware\ShareErrorsFromSession',
'Illuminate\Foundation\Http\Middleware\VerifyCsrfToken',
'App\Http\Middleware\VerifyCsrfToken',
];

/**
Expand Down
20 changes: 20 additions & 0 deletions app/Http/Middleware/VerifyCsrfToken.php
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
<?php namespace App\Http\Middleware;

use Closure;
use Illuminate\Foundation\Http\Middleware\VerifyCsrfToken as BaseVerifier;

class VerifyCsrfToken extends BaseVerifier {

/**
* Handle an incoming request.
*
* @param \Illuminate\Http\Request $request
* @param \Closure $next
* @return mixed
*/
public function handle($request, Closure $next)
{
return parent::handle($request, $next);
}

}

6 comments on commit c3e3d9d

@djtarazona
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would it be better to move this to route middleware?

@russweas
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@djtarazona Nahh. It makes it easier to just use Input::get when you want CSRF protection, and Request::get for the other ones.

@luscadigital
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@rweas I'm confused. How is this intended to work?

@russweas
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@luscadigital As I understand it, Input::get will do CSRF, but Request::get won't. So you can use either one whenever you need it.

@rtablada
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@djtarazona The idea is that most apps will have require CSRF for everything other than whitelisted routes and/or requesting applications. So CSRF is default so you don't leave random vulnerable routes.


@rweas that's not what is happening, the CSRF filter will run on any request that isn't HTTP GET.

This change just allows you to add conditionals for when you don't want CSRF to run (ie. if the requesting app is from a whitelisted IP address).

@russweas
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@rtablada You're probably right, I'm not really an expert. This sounds like a really good idea thanks!

Please sign in to comment.