Merge pull request #8 from skipperbent/feature-csrf

Custom CSRF middleware support
[TASK] Updated documentation
2026-06-17 16:57:53 +00:00 · 2015-10-21 19:15:22 +02:00 · 2015-10-21 19:14:37 +02:00 · 2015-10-21 19:07:45 +02:00
2 changed files with 68 additions and 8 deletions
@@ -197,19 +197,49 @@ function csrf_token() {
 }
 ```

-### Example for getting the url
+## Getting urls

-In ```routes.php``` we have added this route:
+**In ```routes.php``` we have added this route:**

-```SimpleRouter::get('/item/{id}', 'myController@show', ['as' => 'item']);```
+```php
+SimpleRouter::get('/item/{id}', 'myController@show', ['as' => 'item']);
+```

-In the template we then call:
+**In the template we then call:**

-```url('item', ['id' => 22], ['category' => 'shoes']);```
+```php
+url('item', ['id' => 22], ['category' => 'shoes']);
+```

-Result url is:
+**Result url is:**

-```/item/22?category=shoes ```
+```php
+/item/22/?category=shoes
+```
+
+## Custom CSRF verifier
+
+Create a new class and extend the ```BaseCsrfVerifier``` middleware class provided with simple-php-router.
+
+Add the property ```except``` with an array of the urls to the routes you would like to exclude from the CSRF validation. Using ```*``` at the end for the url will match the entire url.
+
+Querystrings are ignored.
+
+```php
+use Pecee\Http\Middleware\BaseCsrfVerifier;
+
+class CsrfVerifier extends BaseCsrfVerifier {
+
+    protected $except = ['/companies/*', '/user/save'];
+
+}
+```
+
+Register the new class in your ```routes.php```, custom ```Router``` class or wherever you register your routes.
+
+```php
+SimpleRouter::csrfVerifier(new \Demo\Middleware\CsrfVerifier());
+```

 ## Documentation
 While I work on a better documentation, please refer to the Laravel 5 routing documentation here:
@@ -11,9 +11,39 @@ class BaseCsrfVerifier extends Middleware {
    const POST_KEY = 'csrf-token';
    const HEADER_KEY = 'X-CSRF-TOKEN';

+    protected $except;
+
+    /**
+     * Check if the url matches the urls in the except property
+     * @param Request $request
+     * @return bool
+     */
+    protected function skip(Request $request) {
+
+        if($this->except === null || !is_array($this->except)) {
+            return false;
+        }
+
+        foreach($this->except as $url) {
+            $url = rtrim($url, '/');
+            if($url[strlen($url)-1] === '*') {
+                $url = rtrim($url, '*');
+                $skip = (stripos($request->getUri(), $url) === 0);
+            } else {
+                $skip = ($url === rtrim($request->getUri(), '/'));
+            }
+
+            if($skip) {
+                return true;
+            }
+        }
+
+        return false;
+    }
+
    public function handle(Request $request) {

-        if($request->getMethod() != 'get') {
+        if($request->getMethod() != 'get' && !$this->skip($request)) {

            $token = (isset($_POST[self::POST_KEY])) ? $_POST[self::POST_KEY] : null;
Author	SHA1	Message	Date
Simon Sessingø	5d643d842a	Merge pull request #8 from skipperbent/feature-csrf Custom CSRF middleware support	2015-10-21 19:15:22 +02:00
Simon Sessingø	d6cf5c9b68	[TASK] Updated documentation	2015-10-21 19:14:37 +02:00
Simon Sessingø	03cac14e8e	[FEATURE] Support for custom csrf verifier - Added support for custom csrf verifier. - Updated documentation.	2015-10-21 19:07:45 +02:00