From 03cac14e8e336c25aadfa78e8bfca9468f904d50 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Simon=20Sessing=C3=B8?= Date: Wed, 21 Oct 2015 19:07:45 +0200 Subject: [PATCH 1/2] [FEATURE] Support for custom csrf verifier - Added support for custom csrf verifier. - Updated documentation. --- README.md | 22 ++++++++++++- .../Http/Middleware/BaseCsrfVerifier.php | 32 ++++++++++++++++++- 2 files changed, 52 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index bf59bf5..5c4e703 100644 --- a/README.md +++ b/README.md @@ -209,7 +209,27 @@ In the template we then call: Result url is: -```/item/22?category=shoes ``` +```/item/22/?category=shoes``` + +## Custom CSRF verifier + +Create a new class and extend the ```BaseCsrfVerifier``` middleware class provided with simple-php-router. + +```php +use Pecee\Http\Middleware\BaseCsrfVerifier; + +class CsrfVerifier extends BaseCsrfVerifier { + + protected $except = ['/companies/*', '/user/save']; + +} +``` + +Register the new class in your ```routes.php```, custom ```Router``` class or wherever you register your routes. + +```php +SimpleRouter::csrfVerifier(new \Demo\Middleware\CsrfVerifier()); +``` ## Documentation While I work on a better documentation, please refer to the Laravel 5 routing documentation here: diff --git a/src/Pecee/Http/Middleware/BaseCsrfVerifier.php b/src/Pecee/Http/Middleware/BaseCsrfVerifier.php index 3d8032e..c3edcd1 100644 --- a/src/Pecee/Http/Middleware/BaseCsrfVerifier.php +++ b/src/Pecee/Http/Middleware/BaseCsrfVerifier.php @@ -11,9 +11,39 @@ class BaseCsrfVerifier extends Middleware { const POST_KEY = 'csrf-token'; const HEADER_KEY = 'X-CSRF-TOKEN'; + protected $except; + + /** + * Check if the url matches the urls in the except property + * @param Request $request + * @return bool + */ + protected function skip(Request $request) { + + if($this->except === null || !is_array($this->except)) { + return false; + } + + foreach($this->except as $url) { + $url = rtrim($url, '/'); + if($url[strlen($url)-1] === '*') { + $url = rtrim($url, '*'); + $skip = (stripos($request->getUri(), $url) === 0); + } else { + $skip = ($url === rtrim($request->getUri(), '/')); + } + + if($skip) { + return true; + } + } + + return false; + } + public function handle(Request $request) { - if($request->getMethod() != 'get') { + if($request->getMethod() != 'get' && !$this->skip($request)) { $token = (isset($_POST[self::POST_KEY])) ? $_POST[self::POST_KEY] : null; From d6cf5c9b682fbdd75d1d0b1fd75c3b902a9b4c17 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Simon=20Sessing=C3=B8?= Date: Wed, 21 Oct 2015 19:14:37 +0200 Subject: [PATCH 2/2] [TASK] Updated documentation --- README.md | 24 +++++++++++++++++------- 1 file changed, 17 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index 5c4e703..3c8421e 100644 --- a/README.md +++ b/README.md @@ -197,24 +197,34 @@ function csrf_token() { } ``` -### Example for getting the url +## Getting urls -In ```routes.php``` we have added this route: +**In ```routes.php``` we have added this route:** -```SimpleRouter::get('/item/{id}', 'myController@show', ['as' => 'item']);``` +```php +SimpleRouter::get('/item/{id}', 'myController@show', ['as' => 'item']); +``` -In the template we then call: +**In the template we then call:** -```url('item', ['id' => 22], ['category' => 'shoes']);``` +```php +url('item', ['id' => 22], ['category' => 'shoes']); +``` -Result url is: +**Result url is:** -```/item/22/?category=shoes``` +```php +/item/22/?category=shoes +``` ## Custom CSRF verifier Create a new class and extend the ```BaseCsrfVerifier``` middleware class provided with simple-php-router. +Add the property ```except``` with an array of the urls to the routes you would like to exclude from the CSRF validation. Using ```*``` at the end for the url will match the entire url. + +Querystrings are ignored. + ```php use Pecee\Http\Middleware\BaseCsrfVerifier;