@jedrzej.kurylo所描述的技术能够很好地排除一个或两个页面。
如果你需要从CSRF验证中排除许多页面并更具有未来性,这里有一种不同的技术。
你可以将路由进行分段,并对每个路由应用不同的中间件。因此,你可以将付款路由放入单独的路由组中,并且不对它们应用VerifyCsrfToken。下面是实现方法。
1. 创建路由文件
你会发现在你的routes
目录中,你有以下树形结构:
routes/
routes/api.php
routes/web.php
在这里创建一个新文件,routes/payment.php
,并将你的路由添加到其中:
<?php
use Illuminate\Support\Facades\Route;
Route::get('/payment/ok', 'TransactionsController@Ok');
Route::get('/payment/fail', 'TransactionsController@Fail');
2. 使用RouteServiceProvider处理路由
Laravel的路由由app\Providers\RouteServiceProvider.php
处理。你会注意到这些函数:map()
和mapWebRoutes()
。根据需要在此文件中添加相应内容(为简洁起见,我省略了原有注释)。
public function map()
{
$this->mapApiRoutes();
$this->mapWebRoutes();
$this->mapPaymentRoutes();
}
protected function mapWebRoutes()
{
Route::middleware('web')
->namespace($this->namespace)
->group(base_path('routes/web.php'));
}
protected function mapPaymentRoutes() // <--- Add this method
{
Route::middleware('payment')
->namespace($this->namespace)
->group(base_path('routes/payment.php'));
}
请注意,我们增加了一个新的中间件层。这对于下一步很重要。
3. 添加新的中间件层
您的路由组的中间件定义在 App\Http\Kernel.php
中。
更新 $middlewareGroups
属性,并为 'payment' 添加一个中间件条目。它可以与 web
完全相同,但不包括 VerifyCsrfToken
行。
protected $middlewareGroups = [
'web' => [
\App\Http\Middleware\EncryptCookies::class,
\Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse::class,
\Illuminate\Session\Middleware\StartSession::class,
\Illuminate\Session\Middleware\AuthenticateSession::class,
\Illuminate\View\Middleware\ShareErrorsFromSession::class,
\App\Http\Middleware\VerifyCsrfToken::class,
\Illuminate\Routing\Middleware\SubstituteBindings::class,
\App\Http\Middleware\NoClickjack::class,
\App\Http\Middleware\SecureReferrerPolicy::class,
\App\Http\Middleware\NoXssScripting::class,
],
'payment' => [
\App\Http\Middleware\EncryptCookies::class,
\Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse::class,
\Illuminate\Session\Middleware\StartSession::class,
\Illuminate\Session\Middleware\AuthenticateSession::class,
\Illuminate\View\Middleware\ShareErrorsFromSession::class,
\Illuminate\Routing\Middleware\SubstituteBindings::class,
\App\Http\Middleware\NoClickjack::class,
\App\Http\Middleware\SecureReferrerPolicy::class,
\App\Http\Middleware\NoXssScripting::class,
],
'api' => [
'throttle:60,1',
'bindings',
],
];
现在,每当您添加需要从CSRF令牌检查中排除的新路由时,请将它们添加到
routes/payment.php
文件中。