mirror of
https://github.com/skipperbent/simple-php-router.git
synced 2026-07-11 13:42:14 +00:00
Merge pull request #8 from skipperbent/feature-csrf
Custom CSRF middleware support
This commit is contained in:
@@ -197,19 +197,49 @@ function csrf_token() {
|
|||||||
}
|
}
|
||||||
```
|
```
|
||||||
|
|
||||||
### Example for getting the url
|
## Getting urls
|
||||||
|
|
||||||
In ```routes.php``` we have added this route:
|
**In ```routes.php``` we have added this route:**
|
||||||
|
|
||||||
```SimpleRouter::get('/item/{id}', 'myController@show', ['as' => 'item']);```
|
```php
|
||||||
|
SimpleRouter::get('/item/{id}', 'myController@show', ['as' => 'item']);
|
||||||
|
```
|
||||||
|
|
||||||
In the template we then call:
|
**In the template we then call:**
|
||||||
|
|
||||||
```url('item', ['id' => 22], ['category' => 'shoes']);```
|
```php
|
||||||
|
url('item', ['id' => 22], ['category' => 'shoes']);
|
||||||
|
```
|
||||||
|
|
||||||
Result url is:
|
**Result url is:**
|
||||||
|
|
||||||
```/item/22?category=shoes ```
|
```php
|
||||||
|
/item/22/?category=shoes
|
||||||
|
```
|
||||||
|
|
||||||
|
## Custom CSRF verifier
|
||||||
|
|
||||||
|
Create a new class and extend the ```BaseCsrfVerifier``` middleware class provided with simple-php-router.
|
||||||
|
|
||||||
|
Add the property ```except``` with an array of the urls to the routes you would like to exclude from the CSRF validation. Using ```*``` at the end for the url will match the entire url.
|
||||||
|
|
||||||
|
Querystrings are ignored.
|
||||||
|
|
||||||
|
```php
|
||||||
|
use Pecee\Http\Middleware\BaseCsrfVerifier;
|
||||||
|
|
||||||
|
class CsrfVerifier extends BaseCsrfVerifier {
|
||||||
|
|
||||||
|
protected $except = ['/companies/*', '/user/save'];
|
||||||
|
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
Register the new class in your ```routes.php```, custom ```Router``` class or wherever you register your routes.
|
||||||
|
|
||||||
|
```php
|
||||||
|
SimpleRouter::csrfVerifier(new \Demo\Middleware\CsrfVerifier());
|
||||||
|
```
|
||||||
|
|
||||||
## Documentation
|
## Documentation
|
||||||
While I work on a better documentation, please refer to the Laravel 5 routing documentation here:
|
While I work on a better documentation, please refer to the Laravel 5 routing documentation here:
|
||||||
|
|||||||
@@ -11,9 +11,39 @@ class BaseCsrfVerifier extends Middleware {
|
|||||||
const POST_KEY = 'csrf-token';
|
const POST_KEY = 'csrf-token';
|
||||||
const HEADER_KEY = 'X-CSRF-TOKEN';
|
const HEADER_KEY = 'X-CSRF-TOKEN';
|
||||||
|
|
||||||
|
protected $except;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Check if the url matches the urls in the except property
|
||||||
|
* @param Request $request
|
||||||
|
* @return bool
|
||||||
|
*/
|
||||||
|
protected function skip(Request $request) {
|
||||||
|
|
||||||
|
if($this->except === null || !is_array($this->except)) {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
foreach($this->except as $url) {
|
||||||
|
$url = rtrim($url, '/');
|
||||||
|
if($url[strlen($url)-1] === '*') {
|
||||||
|
$url = rtrim($url, '*');
|
||||||
|
$skip = (stripos($request->getUri(), $url) === 0);
|
||||||
|
} else {
|
||||||
|
$skip = ($url === rtrim($request->getUri(), '/'));
|
||||||
|
}
|
||||||
|
|
||||||
|
if($skip) {
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
public function handle(Request $request) {
|
public function handle(Request $request) {
|
||||||
|
|
||||||
if($request->getMethod() != 'get') {
|
if($request->getMethod() != 'get' && !$this->skip($request)) {
|
||||||
|
|
||||||
$token = (isset($_POST[self::POST_KEY])) ? $_POST[self::POST_KEY] : null;
|
$token = (isset($_POST[self::POST_KEY])) ? $_POST[self::POST_KEY] : null;
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user