Skip to content

Custom CSRF middleware support #8

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Oct 21, 2015
Merged

Custom CSRF middleware support #8

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
03cac14
[FEATURE] Support for custom csrf verifier
skipperbent Oct 21, 2015
d6cf5c9
[TASK] Updated documentation
skipperbent Oct 21, 2015
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
44 changes: 37 additions & 7 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -197,19 +197,49 @@ function csrf_token() {
}
```

### Example for getting the url
## Getting urls

In ```routes.php``` we have added this route:
**In ```routes.php``` we have added this route:**

```SimpleRouter::get('/item/{id}', 'myController@show', ['as' => 'item']);```
```php
SimpleRouter::get('/item/{id}', 'myController@show', ['as' => 'item']);
```

**In the template we then call:**

```php
url('item', ['id' => 22], ['category' => 'shoes']);
```

**Result url is:**

```php
/item/22/?category=shoes
```

## Custom CSRF verifier

In the template we then call:
Create a new class and extend the ```BaseCsrfVerifier``` middleware class provided with simple-php-router.

```url('item', ['id' => 22], ['category' => 'shoes']);```
Add the property ```except``` with an array of the urls to the routes you would like to exclude from the CSRF validation. Using ```*``` at the end for the url will match the entire url.

Result url is:
Querystrings are ignored.

```/item/22?category=shoes ```
```php
use Pecee\Http\Middleware\BaseCsrfVerifier;

class CsrfVerifier extends BaseCsrfVerifier {

protected $except = ['/companies/*', '/user/save'];

}
```

Register the new class in your ```routes.php```, custom ```Router``` class or wherever you register your routes.

```php
SimpleRouter::csrfVerifier(new \Demo\Middleware\CsrfVerifier());
```

## Documentation
While I work on a better documentation, please refer to the Laravel 5 routing documentation here:
Expand Down
32 changes: 31 additions & 1 deletion src/Pecee/Http/Middleware/BaseCsrfVerifier.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,9 +11,39 @@ class BaseCsrfVerifier extends Middleware {
const POST_KEY = 'csrf-token';
const HEADER_KEY = 'X-CSRF-TOKEN';

protected $except;

/**
* Check if the url matches the urls in the except property
* @param Request $request
* @return bool
*/
protected function skip(Request $request) {

if($this->except === null || !is_array($this->except)) {
return false;
}

foreach($this->except as $url) {
$url = rtrim($url, '/');
if($url[strlen($url)-1] === '*') {
$url = rtrim($url, '*');
$skip = (stripos($request->getUri(), $url) === 0);
} else {
$skip = ($url === rtrim($request->getUri(), '/'));
}

if($skip) {
return true;
}
}

return false;
}

public function handle(Request $request) {

if($request->getMethod() != 'get') {
if($request->getMethod() != 'get' && !$this->skip($request)) {

$token = (isset($_POST[self::POST_KEY])) ? $_POST[self::POST_KEY] : null;

Expand Down