Added CSRF Extender (#2095)

framework/core/src/Http/HttpServiceProvider.php

@@ -0,0 +1,29 @@
+<?php
+
+/*
+ * This file is part of Flarum.
+ *
+ * For detailed copyright and license information, please view the
+ * LICENSE file that was distributed with this source code.
+ */
+
+namespace Flarum\Http;
+
+use Flarum\Foundation\AbstractServiceProvider;
+
+class HttpServiceProvider extends AbstractServiceProvider
+{
+    /**
+     * {@inheritdoc}
+     */
+    public function register()
+    {
+        $this->app->singleton('flarum.http.csrfExemptPaths', function () {
+            return ['/api/token'];
+        });
+
+        $this->app->bind(Middleware\CheckCsrfToken::class, function ($app) {
+            return new Middleware\CheckCsrfToken($app->make('flarum.http.csrfExemptPaths'));
+        });
+    }
+}

framework/core/src/Http/Middleware/CheckCsrfToken.php

@@ -17,8 +17,22 @@ use Psr\Http\Server\RequestHandlerInterface as Handler;
 
 class CheckCsrfToken implements Middleware
 {
+    protected $exemptRoutes;
+
+    public function __construct(array $exemptRoutes)
+    {
+        $this->exemptRoutes = $exemptRoutes;
+    }
+
     public function process(Request $request, Handler $handler): Response
     {
+        $path = $request->getAttribute('originalUri')->getPath();
+        foreach ($this->exemptRoutes as $exemptRoute) {
+            if (fnmatch($exemptRoute, $path)) {
+                return $handler->handle($request);
+            }
+        }
+
         if (in_array($request->getMethod(), ['GET', 'HEAD', 'OPTIONS'])) {
             return $handler->handle($request);
         }