Unable to exclude URIs from CSRF verification

[MatanYadaev]

• Airlock Version: 0.1.0
• Laravel Version: 6.9.0
• PHP Version: 7.4.0
• Database Driver & Version: MySQL 5.7

Description:

I can't exclude URIs from CSRF verification because of this LoC
Laravel Airlock is using the middleware from the Illuminate package instead of the local one.
This way the $except remains always an empty array, and I can't exclude URIs.

Steps To Reproduce:

1. Add URIs to the $except array in App\Http\Middleware\VerifyCsrfToken.php file.
2. Try to access this route without a CSRF token.

Suggestion

Add to the config/airlock.php file a configuration variable:

'csrfMiddleware` => App\Http\Middleware\VerifyCsrfToken::class,

And make sure to use it in the EnsureFrontendRequestAreStateful:

static::fromFrontend($request) ? [
  \Illuminate\Cookie\Middleware\EncryptCookies::class,
  \Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse::class,
  \Illuminate\Session\Middleware\StartSession::class,
  Config::get('airlock.csrfMiddlewareClass', \Illuminate\Foundation\Http\Middleware\VerifyCsrfToken::class),
: []

[driesvints]

Hmm that indeed seems problematic but I'm not sure if the current solution is the best one? What you can do instead is perhaps bind your implementation to the foundation one through the container:

$this->app->bind(
    \Illuminate\Foundation\Http\Middleware\VerifyCsrfToken::class,
    \App\Http\Middleware\VerifyCsrfToken::class
);

[MatanYadaev]

@driesvints My solution may not be the best one, but binding to the container it's just a workaround in my opinion.
I'm sure more some people are using the $except property, so a solution must be documented for them.

[lukadriel7]

Hello, I Think the same should apply to the EncryptCookies middleware too.