6

I am aware of the $except property of the VerifyCsrfToken middleware (app/Http/Middleware/VerifyCsrfToken.php) but I am looking for a way to do something similar from my package (so the users who install it don't have to modify their VerifyCsrfToken.php for my route to work).

I am able to define routes on my package but I have no idea how to exclude one (or more) of them from the default middleware. I have tried extending Illuminate\Foundation\Http\Middleware\VerifyCsrfToken on my own package with no luck.

Julio J.
  • 193
  • 1
  • 5
  • 2
    It seems the answer to my question is "No, there is no way". Looking at the [docs for Cashier](http://laravel.com/docs/5.1/billing#handling-stripe-webhooks) (in-house package with a post route that needs to bypass the middleware) you need to manually add, per-app, the route to your `app/Http/Middleware/VerifyCsrfToken.php`. Pretty inconvenient if you ask me but I guess there's no other way. – Julio J. Oct 22 '15 at 14:34
  • 3
    I feel your pain. I [asked a very similar question just now](http://stackoverflow.com/questions/33949758/programmatically-add-exception-from-csrf-check-from-laravel-package). I explored a number of workarounds, one of which might work for you, but I suspect having the user modify `VerifyCsrfToken` is going to remain the only viable solution. – morphatic Nov 27 '15 at 03:28

2 Answers2

0

No, there is not. Middleware is always executed when provided in the $middleware property of your app/Http/Kernel.php class.

This is a good thing. You want to give the developers full control on whether or not they want to enable security checks in their application.

If you really need an exception on the route, you can simply ask to manually add the exception to the VerifyCsrfToken class.

The $exceptarray in the VerifyCsrfToken class is in no way accessible by the Service Container as far as I know. Even if you could find a way to create an instance of the middleware, the Kernel will just create a new instance of the middleware classes. Because the list of exceptions isn't static, it is impossible to change this.

Mark Walet
  • 1,147
  • 10
  • 21
-2

Yes, it's actually pretty simple and also covered in the docs located here, but for simplicity here's the answer which is provided for your reference:

    <?php

namespace App\Http\Middleware;

use Illuminate\Foundation\Http\Middleware\VerifyCsrfToken as BaseVerifier;

class VerifyCsrfToken extends BaseVerifier
{
    /**
     * The URIs that should be excluded from CSRF verification.
     *
     * @var array
     */
    protected $except = [
        'stripe/*',
    ];
}
Azeame
  • 2,322
  • 2
  • 14
  • 30
  • 2
    As I said on the question, I am aware of that property but I was looking for a way to do it within the package, so I wouldn't have to ask my users to do one more thing to install my package. – Julio J. Nov 05 '15 at 13:55