Merge pull request #8 from skipperbent/feature-csrf

skipperbent · skipperbent · commit 5d643d842afe · 2015-10-21T19:15:22.000+02:00
Custom CSRF middleware support
diff --git a/README.md b/README.md
@@ -197,19 +197,49 @@ function csrf_token() {
 }
 ```
 
-### Example for getting the url
+## Getting urls
 
-In ```routes.php``` we have added this route:
+**In ```routes.php``` we have added this route:**
 
-```SimpleRouter::get('/item/{id}', 'myController@show', ['as' => 'item']);```
+```php
+SimpleRouter::get('/item/{id}', 'myController@show', ['as' => 'item']);
+```
+
+**In the template we then call:**
+
+```php
+url('item', ['id' => 22], ['category' => 'shoes']);
+```
+
+**Result url is:**
+
+```php
+/item/22/?category=shoes
+```
+
+## Custom CSRF verifier
 
-In the template we then call:
+Create a new class and extend the ```BaseCsrfVerifier``` middleware class provided with simple-php-router.
 
-```url('item', ['id' => 22], ['category' => 'shoes']);```
+Add the property ```except``` with an array of the urls to the routes you would like to exclude from the CSRF validation. Using ```*``` at the end for the url will match the entire url.
 
-Result url is:
+Querystrings are ignored.
 
-```/item/22?category=shoes ```
+```php
+use Pecee\Http\Middleware\BaseCsrfVerifier;
+
+class CsrfVerifier extends BaseCsrfVerifier {
+
+    protected $except = ['/companies/*', '/user/save'];
+
+}
+```
+
+Register the new class in your ```routes.php```, custom ```Router``` class or wherever you register your routes.
+
+```php
+SimpleRouter::csrfVerifier(new \Demo\Middleware\CsrfVerifier());
+```
 
 ## Documentation
 While I work on a better documentation, please refer to the Laravel 5 routing documentation here:
diff --git a/src/Pecee/Http/Middleware/BaseCsrfVerifier.php b/src/Pecee/Http/Middleware/BaseCsrfVerifier.php
@@ -11,9 +11,39 @@ class BaseCsrfVerifier extends Middleware {
     const POST_KEY = 'csrf-token';
     const HEADER_KEY = 'X-CSRF-TOKEN';
 
+    protected $except;
+
+    /**
+     * Check if the url matches the urls in the except property
+     * @param Request $request
+     * @return bool
+     */
+    protected function skip(Request $request) {
+
+        if($this->except === null || !is_array($this->except)) {
+            return false;
+        }
+
+        foreach($this->except as $url) {
+            $url = rtrim($url, '/');
+            if($url[strlen($url)-1] === '*') {
+                $url = rtrim($url, '*');
+                $skip = (stripos($request->getUri(), $url) === 0);
+            } else {
+                $skip = ($url === rtrim($request->getUri(), '/'));
+            }
+
+            if($skip) {
+                return true;
+            }
+        }
+
+        return false;
+    }
+
     public function handle(Request $request) {
 
-        if($request->getMethod() != 'get') {
+        if($request->getMethod() != 'get' && !$this->skip($request)) {
 
             $token = (isset($_POST[self::POST_KEY])) ? $_POST[self::POST_KEY] : null;
 
