Php 针对特定路线禁用laravel中的csrf
我有一个支付系统,其中的数据提交到第三方网站,然后拖回来 当数据返回时,它会点击特定的url,比如说/ok路由<代码>$\u请求['transaction'] 但由于laravel中间件,我得到了令牌不匹配。第三方支付API无法生成令牌,所以我如何禁用它?只有这条路线 还是有更好的选择Php 针对特定路线禁用laravel中的csrf,php,laravel,laravel-5,laravel-5.1,Php,Laravel,Laravel 5,Laravel 5.1,我有一个支付系统,其中的数据提交到第三方网站,然后拖回来 当数据返回时,它会点击特定的url,比如说/ok路由$\u请求['transaction'] 但由于laravel中间件,我得到了令牌不匹配。第三方支付API无法生成令牌,所以我如何禁用它?只有这条路线 还是有更好的选择 Route::get('/payment/ok', 'TransactionsController@Ok'); Route::get('/payment/fail', 'TransactionsController@
Route::get('/payment/ok', 'TransactionsController@Ok');
Route::get('/payment/fail', 'TransactionsController@Fail');
public function Ok( Request $request )
{
$transId = $request->get('trans_id');
if ( isset( $transId ) )
{
return $transId;
}
}
由于版本5.1Laravel的VerifyCsrfToken中间件允许指定从CSRF验证中排除的路由。为了实现这一点,您需要将路由添加到App\Http\Middleware\VerifyCsrfToken.php类中的$except数组:
<?php namespace App\Http\Middleware;
use Illuminate\Foundation\Http\Middleware\VerifyCsrfToken as BaseVerifier;
class VerifyCsrfToken extends BaseVerifier
{
protected $except = [
'payment/*',
];
}
@jedrzej.kurylo所描述的技术可以很好地排除一个或两个页面
如果您需要从CSRF验证中排除大量页面,并进行更多的未来校对,那么这里有一种不同的技术
您可以对路由进行分段,并对每个路由应用不同的中间件。因此,您可以将您的支付路线放入单独的路线组中,而不必对其应用VerifyCsrfToken。这是怎么做的
1.创建路由文件
您会注意到在路由
目录中,有以下树:
routes/
routes/api.php
routes/web.php
在此处创建一个新文件,routes/payment.php
,并将您的路线添加到其中:
<?php
use Illuminate\Support\Facades\Route;
Route::get('/payment/ok', 'TransactionsController@Ok');
Route::get('/payment/fail', 'TransactionsController@Fail');
注意,我们添加了一个新的中间件层。这对于下一步很重要
3.添加一个新的中间件层
路由组的中间件在App\Http\Kernel.php
中定义
更新$middlewareGroups
属性,并为“付款”添加中间条目。它可以与web
完全相同,但是没有VerifyCsrfToken
行
protected $middlewareGroups = [
'web' => [
\App\Http\Middleware\EncryptCookies::class,
\Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse::class,
\Illuminate\Session\Middleware\StartSession::class,
\Illuminate\Session\Middleware\AuthenticateSession::class,
\Illuminate\View\Middleware\ShareErrorsFromSession::class,
\App\Http\Middleware\VerifyCsrfToken::class,
\Illuminate\Routing\Middleware\SubstituteBindings::class,
\App\Http\Middleware\NoClickjack::class,
\App\Http\Middleware\SecureReferrerPolicy::class,
\App\Http\Middleware\NoXssScripting::class,
],
// ********** Add this *******************
'payment' => [
\App\Http\Middleware\EncryptCookies::class,
\Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse::class,
\Illuminate\Session\Middleware\StartSession::class,
\Illuminate\Session\Middleware\AuthenticateSession::class,
\Illuminate\View\Middleware\ShareErrorsFromSession::class,
// This is the line you want to comment-out / remove
// \App\Http\Middleware\VerifyCsrfToken::class,
\Illuminate\Routing\Middleware\SubstituteBindings::class,
\App\Http\Middleware\NoClickjack::class,
\App\Http\Middleware\SecureReferrerPolicy::class,
\App\Http\Middleware\NoXssScripting::class,
],
'api' => [
'throttle:60,1',
'bindings',
],
];
由于Laravel 7.7,您可以在没有中间件的情况下使用方法,例如:
Route::get('/payment/ok','TransactionsController@Ok')
->没有中间件([\App\Http\Middleware\VerifyCsrfToken::class]);
路由::获取('/payment/fail','TransactionsController@Fail')
->没有中间件([\App\Http\Middleware\VerifyCsrfToken::class]);
您使用的是什么版本的Laravel?如果是5.1,请参见下面的答案。如果有旧版本,请告诉我,我会更新答案,因为对于旧版本,有很多方法可以做到这一点,只是有点复杂。@jedrzej.kurylo我可以知道如何在Laravel 5.0.Hi jedrzej中禁用CSRF令牌吗,上面的方法我用过,但它不适用于laravel 5.2。我需要知道如何为上面类似的laravel 5.2版本的解决方案禁用API路由的CSRF令牌。排除5.2中的URI的工作方式相同-请参阅这里的文档,它适用于我的laravel 5.2,感谢bunch mate。我将此称为over Engineering您应该将CSRF字段添加到app/Http/Kernel.php$routeMiddleware数组类似于此“csrf”=>VerifyCsrfToken::classAs@ozal zarbaliyev提到,没有名为csrf
的中间件。只需在中使用\App\Http\Middleware\VerifyCsrfToken::class
,不使用Middleware
函数即可。谢谢大家,修复了!
protected $middlewareGroups = [
'web' => [
\App\Http\Middleware\EncryptCookies::class,
\Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse::class,
\Illuminate\Session\Middleware\StartSession::class,
\Illuminate\Session\Middleware\AuthenticateSession::class,
\Illuminate\View\Middleware\ShareErrorsFromSession::class,
\App\Http\Middleware\VerifyCsrfToken::class,
\Illuminate\Routing\Middleware\SubstituteBindings::class,
\App\Http\Middleware\NoClickjack::class,
\App\Http\Middleware\SecureReferrerPolicy::class,
\App\Http\Middleware\NoXssScripting::class,
],
// ********** Add this *******************
'payment' => [
\App\Http\Middleware\EncryptCookies::class,
\Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse::class,
\Illuminate\Session\Middleware\StartSession::class,
\Illuminate\Session\Middleware\AuthenticateSession::class,
\Illuminate\View\Middleware\ShareErrorsFromSession::class,
// This is the line you want to comment-out / remove
// \App\Http\Middleware\VerifyCsrfToken::class,
\Illuminate\Routing\Middleware\SubstituteBindings::class,
\App\Http\Middleware\NoClickjack::class,
\App\Http\Middleware\SecureReferrerPolicy::class,
\App\Http\Middleware\NoXssScripting::class,
],
'api' => [
'throttle:60,1',
'bindings',
],
];