Disabling CSRF in CakePHP4 for specific controllers and actions
Disabling CSRF in CakePHP4 for specific controllers and actions
Category:CakePHP4
Pub.date:2020-08-06
If you want to disable CSRF check for a specific controller or action in CakePHP 4.1, it would be as follows
As of PHP 4.1, the CsrfProtectionMiddleware description has been moved to src/Application.php. In PHP 4.1, CsrfProtectionMiddleware has been moved to src/Application.php.
In PHP 4.1, the CsrfProtectionMiddleware description has been moved to src/Application.php. Therefore, you only need to change src/Application.php.
Original
src/Application.php
/**
* Setup the middleware queue your application will use.
*
* @param \Cake\Http\MiddlewareQueue $middlewareQueue The middleware queue to setup.
* @return \Cake\Http\MiddlewareQueue The updated middleware queue.
*/
public function middleware(MiddlewareQueue $middlewareQueue): MiddlewareQueue
{
$middlewareQueue
// Catch any exceptions in the lower layers,
// and make an error page/response
->add(new ErrorHandlerMiddleware(Configure::read('Error')))
// Handle plugin/theme assets like CakePHP normally does.
->add(new AssetMiddleware([
'cacheTime' => Configure::read('Asset.cacheTime'),
]))
// Add routing middleware.
// If you have a large number of routes connected, turning on routes
// caching in production could improve performance. For that when
// creating the middleware instance specify the cache config name by
// using it's second constructor argument:
// `new RoutingMiddleware($this, '_cake_routes_')`
->add(new RoutingMiddleware($this))
// Parse various types of encoded request bodies so that they are
// available as array through $request->getData()
// https://book.cakephp.org/4/en/controllers/middleware.html#body-parser-middleware
->add(new BodyParserMiddleware())
// Cross Site Request Forgery (CSRF) Protection Middleware
// https://book.cakephp.org/4/en/controllers/middleware.html#cross-site-request-forgery-csrf-middleware
->add(new CsrfProtectionMiddleware([
'httponly' => true,
]));
return $middlewareQueue;
}
After change
src/Application.php
/**
* Setup the middleware queue your application will use.
*
* @param \Cake\Http\MiddlewareQueue $middlewareQueue The middleware queue to setup.
* @return \Cake\Http\MiddlewareQueue The updated middleware queue.
*/
public function middleware(MiddlewareQueue $middlewareQueue): MiddlewareQueue
{
$csrf = new CsrfProtectionMiddleware(['httponly'=>true]);
$csrf->skipCheckCallback(function($request) { // Token check will be skipped when callback returns `true`.
$controller = $request->getParam('controller');
$action = $request->getParam('action');
if (is_null($controller) || is_null($action)) {
return false;
}
if (strcmp($controller,'Apis') == 0) { // Skip token check for API URLs.
return true;
}
return false;
});
$middlewareQueue
// Catch any exceptions in the lower layers,
// and make an error page/response
->add(new ErrorHandlerMiddleware(Configure::read('Error')))
// Handle plugin/theme assets like CakePHP normally does.
->add(new AssetMiddleware([
'cacheTime' => Configure::read('Asset.cacheTime'),
]))
// Add routing middleware.
// If you have a large number of routes connected, turning on routes
// caching in production could improve performance. For that when
// creating the middleware instance specify the cache config name by
// using it's second constructor argument:
// `new RoutingMiddleware($this, '_cake_routes_')`
->add(new RoutingMiddleware($this))
// Parse various types of encoded request bodies so that they are
// available as array through $request->getData()
// https://book.cakephp.org/4/en/controllers/middleware.html#body-parser-middleware
->add(new BodyParserMiddleware())
// Cross Site Request Forgery (CSRF) Protection Middleware
// https://book.cakephp.org/4/en/controllers/middleware.html#cross-site-request-forgery-csrf-middleware
//->add(new CsrfProtectionMiddleware([
// 'httponly' => true,
//]));
->add($csrf);
return $middlewareQueue;
}
In this example, no CSRF check is performed in the case of ApisController.
CONTENTS
JavaScript
Unreal Engine
CakePHP4
CakePHP4
Flutter
Flutter
Other
JavaScript
JavaScript
CakePHP4
Web Server
Photoshop
Unreal Engine
CakePHP4
Web Browser
Web Server
iOS
Android
Web Browser
CakePHP4
Plesk
Illustrator
Plesk
Web Server
Web Server
CakePHP3
Web Browser
CakePHP3
JavaScript
JavaScript
CakePHP3
CakePHP3