-
-
Notifications
You must be signed in to change notification settings - Fork 46
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CsrfMiddleware and CsrfAwareActionInterface #70
Comments
That's already possible. Middleware could be used in three ways:
All these are configured at the application level. That's already in docs but will be even more visible after alpha release: https://github.com/yiisoft/docs/blob/master/guide/en/structure/middleware.md |
It is clear that it is possible to add it. But I mean that it would be nice to be able to add the CsrfAwareActionInterface interface in the controller and not implement your own CsrfMiddleware. Now we have CsrfMiddleware whose area is very limited, and it is inconvenient to use it for separate routes. In case of difficulties, 99% of people will not write their own CsrfMiddleware, they will simply disable it. |
It's not. Exactly the same middleware could be registered for individual route or routes group.
What is inconvenient in the following? Group::create('/user', [
// routes here
])->addMiddleware(\Yiisoft\Csrf\CsrfMiddleware::class), |
What if third-party modules add routes for which Csrf is not needed? Will they have to ask the user to change their global configuration? Remove from the chain above CsrfMiddleware applications? I find it difficult. PS: This is from experience. I had to solve a similar problem the other day in a commercial project. |
Alright. CSRF is likely worth to be moved to router level. |
CsrfMiddleware is currently running for all requests. However, this functionality is sometimes not required, or a separate implementation is required for individual endpoints that process external requests as API.
Magento has a CsrfAwareActionInterface endpoint interface. If implemented, the endpoint checks the Csrf itself, otherwise the Csrf is checked by Magento. You need to do something like this.
The text was updated successfully, but these errors were encountered: