laravel 对读请求加 csrf-token 验证

小猪快点跑

于 2021-04-13 17:52:24 发布

阅读量664

点赞数

本文链接：https://blog.csdn.net/weixin_41565755/article/details/115674265

版权

PHP & Laravel 专栏收录该内容

32 篇文章 1 订阅

订阅专栏

1、laravel 默认是不对对于重要的读请求进行 csrf-token 验证的，但是对于对于一些重要的读方法，也可以添加保护。

    protected function isReading($request)
    {
        return in_array($request->method(), ['HEAD', 'GET', 'OPTIONS']);
    }

2、对读请求加 csrf-token 验证

（1）namespace Illuminate\Foundation\Http\Middleware\VerifyCsrfToken;

/*修改方法*/

public function handle($request, Closure $next)
{
    if ($this->isReading() && $this->mustVerifyCsrfToken($request)) {
        if (!$this->tokensMatch()) {
            throw new TokenMismatchException;
        }
    }

    if (
        $this->isReading($request) ||
        $this->runningUnitTests() ||
        $this->shouldPassThrough($request) ||
        $this->tokensMatch($request)
    ) {
        return $this->addCookieToResponse($request, $next($request));
    }

    throw new TokenMismatchException;
}

/* 添加方法 */

protected function mustVerifyCsrfToken($request)
{
    foreach ($this->mustVerify as $must) {
        if ($must !== '/') {
            $must = trim($must, '/');
        }

        if ($request->is($must)) {
            return true;
        }
    }

    return false;
}

（2）namespace WebGroup\Http\Middleware\VerifyCsrfToken;

修改类，添加 $mustVerify 属性

class VerifyCsrfToken extends BaseVerifier
{
    /**
     * The URIs that should be excluded from CSRF verification.
     *
     * @var array
     */
    protected $except = [
        //
    ];

    /**
     * The URIs with reading method (['HEAD', 'GET', 'OPTIONS']) that must pass CSRF verification.
     *
     * @var array
     */
    protected $mustVerify = [
        //
    ];
}