Added CSRF Extender (#2095)

2025-08-07 08:56:38 +02:00 · 2020-04-03 15:32:18 -04:00
parent ecdd7a2b49
commit 0d57820b50
6 changed files with 193 additions and 2 deletions
--- a/src/Extend/Csrf.php
+++ b/src/Extend/Csrf.php
@@ -0,0 +1,32 @@
+<?php
+
+/*
+ * This file is part of Flarum.
+ *
+ * For detailed copyright and license information, please view the
+ * LICENSE file that was distributed with this source code.
+ */
+
+namespace Flarum\Extend;
+
+use Flarum\Extension\Extension;
+use Illuminate\Contracts\Container\Container;
+
+class Csrf implements ExtenderInterface
+{
+    protected $csrfExemptPaths = [];
+
+    public function exemptPath(string $path)
+    {
+        $this->csrfExemptPaths[] = $path;
+
+        return $this;
+    }
+
+    public function extend(Container $container, Extension $extension = null)
+    {
+        $container->extend('flarum.http.csrfExemptPaths', function ($existingExemptPaths) {
+            return array_merge($existingExemptPaths, $this->csrfExemptPaths);
+        });
+    }
+}
--- a/src/Foundation/InstalledSite.php
+++ b/src/Foundation/InstalledSite.php
@@ -21,6 +21,7 @@ use Flarum\Formatter\FormatterServiceProvider;
 use Flarum\Forum\ForumServiceProvider;
 use Flarum\Frontend\FrontendServiceProvider;
 use Flarum\Group\GroupServiceProvider;
+use Flarum\Http\HttpServiceProvider;
 use Flarum\Locale\LocaleServiceProvider;
 use Flarum\Mail\MailServiceProvider;
 use Flarum\Notification\NotificationServiceProvider;
@@ -125,6 +126,7 @@ class InstalledSite implements SiteInterface
        $laravel->register(FrontendServiceProvider::class);
        $laravel->register(GroupServiceProvider::class);
        $laravel->register(HashServiceProvider::class);
+        $laravel->register(HttpServiceProvider::class);
        $laravel->register(LocaleServiceProvider::class);
        $laravel->register(MailServiceProvider::class);
        $laravel->register(MigrationServiceProvider::class);
--- a/src/Http/HttpServiceProvider.php
+++ b/src/Http/HttpServiceProvider.php
@@ -0,0 +1,29 @@
+<?php
+
+/*
+ * This file is part of Flarum.
+ *
+ * For detailed copyright and license information, please view the
+ * LICENSE file that was distributed with this source code.
+ */
+
+namespace Flarum\Http;
+
+use Flarum\Foundation\AbstractServiceProvider;
+
+class HttpServiceProvider extends AbstractServiceProvider
+{
+    /**
+     * {@inheritdoc}
+     */
+    public function register()
+    {
+        $this->app->singleton('flarum.http.csrfExemptPaths', function () {
+            return ['/api/token'];
+        });
+
+        $this->app->bind(Middleware\CheckCsrfToken::class, function ($app) {
+            return new Middleware\CheckCsrfToken($app->make('flarum.http.csrfExemptPaths'));
+        });
+    }
+}
--- a/src/Http/Middleware/CheckCsrfToken.php
+++ b/src/Http/Middleware/CheckCsrfToken.php
@@ -17,8 +17,22 @@ use Psr\Http\Server\RequestHandlerInterface as Handler;

 class CheckCsrfToken implements Middleware
 {
+    protected $exemptRoutes;
+
+    public function __construct(array $exemptRoutes)
+    {
+        $this->exemptRoutes = $exemptRoutes;
+    }
+
    public function process(Request $request, Handler $handler): Response
    {
+        $path = $request->getAttribute('originalUri')->getPath();
+        foreach ($this->exemptRoutes as $exemptRoute) {
+            if (fnmatch($exemptRoute, $path)) {
+                return $handler->handle($request);
+            }
+        }
+
        if (in_array($request->getMethod(), ['GET', 'HEAD', 'OPTIONS'])) {
            return $handler->handle($request);
        }