Disabling CSRF in CakePHP4 for specific controllers and actions

Category：CakePHP4

Pub.date：2020-08-06

If you want to disable CSRF check for a specific controller or action in CakePHP 4.1, it would be as follows
As of PHP 4.1, the CsrfProtectionMiddleware description has been moved to src/Application.php. In PHP 4.1, CsrfProtectionMiddleware has been moved to src/Application.php.
In PHP 4.1, the CsrfProtectionMiddleware description has been moved to src/Application.php. Therefore, you only need to change src/Application.php.

Original

src/Application.php

/**
 * Setup the middleware queue your application will use.
 *
 * @param \Cake\Http\MiddlewareQueue $middlewareQueue The middleware queue to setup.
 * @return \Cake\Http\MiddlewareQueue The updated middleware queue.
 */
public function middleware(MiddlewareQueue $middlewareQueue): MiddlewareQueue
{
    $middlewareQueue
        // Catch any exceptions in the lower layers,
        // and make an error page/response
        ->add(new ErrorHandlerMiddleware(Configure::read('Error')))

        // Handle plugin/theme assets like CakePHP normally does.
        ->add(new AssetMiddleware([
            'cacheTime' => Configure::read('Asset.cacheTime'),
        ]))

        // Add routing middleware.
        // If you have a large number of routes connected, turning on routes
        // caching in production could improve performance. For that when
        // creating the middleware instance specify the cache config name by
        // using it's second constructor argument:
        // `new RoutingMiddleware($this, '_cake_routes_')`
        ->add(new RoutingMiddleware($this))

        // Parse various types of encoded request bodies so that they are
        // available as array through $request->getData()
        // https://book.cakephp.org/4/en/controllers/middleware.html#body-parser-middleware
        ->add(new BodyParserMiddleware())

        // Cross Site Request Forgery (CSRF) Protection Middleware
        // https://book.cakephp.org/4/en/controllers/middleware.html#cross-site-request-forgery-csrf-middleware
        ->add(new CsrfProtectionMiddleware([
            'httponly' => true,
        ]));

    return $middlewareQueue;
}

After change

src/Application.php

/**
 * Setup the middleware queue your application will use.
 *
 * @param \Cake\Http\MiddlewareQueue $middlewareQueue The middleware queue to setup.
 * @return \Cake\Http\MiddlewareQueue The updated middleware queue.
 */
public function middleware(MiddlewareQueue $middlewareQueue): MiddlewareQueue
{

    $csrf = new CsrfProtectionMiddleware(['httponly'=>true]);
    $csrf->skipCheckCallback(function($request) {            // Token check will be skipped when callback returns `true`.
        $controller = $request->getParam('controller');
        $action = $request->getParam('action');
        if (is_null($controller) || is_null($action)) {
            return false;
        }
        if (strcmp($controller,'Apis') == 0) {    // Skip token check for API URLs.
            return true;
        }
        return false;
    });

    $middlewareQueue
        // Catch any exceptions in the lower layers,
        // and make an error page/response
        ->add(new ErrorHandlerMiddleware(Configure::read('Error')))

        // Handle plugin/theme assets like CakePHP normally does.
        ->add(new AssetMiddleware([
            'cacheTime' => Configure::read('Asset.cacheTime'),
        ]))

        // Add routing middleware.
        // If you have a large number of routes connected, turning on routes
        // caching in production could improve performance. For that when
        // creating the middleware instance specify the cache config name by
        // using it's second constructor argument:
        // `new RoutingMiddleware($this, '_cake_routes_')`
        ->add(new RoutingMiddleware($this))

        // Parse various types of encoded request bodies so that they are
        // available as array through $request->getData()
        // https://book.cakephp.org/4/en/controllers/middleware.html#body-parser-middleware
        ->add(new BodyParserMiddleware())

        // Cross Site Request Forgery (CSRF) Protection Middleware
        // https://book.cakephp.org/4/en/controllers/middleware.html#cross-site-request-forgery-csrf-middleware
        //->add(new CsrfProtectionMiddleware([
        //    'httponly' => true,
        //]));
        ->add($csrf);

    return $middlewareQueue;
}

In this example, no CSRF check is performed in the case of ApisController.

If you want to disable CSRF check for a specific controller or action in CakePHP 4.1, it would be as follows <br>
As of PHP 4.1, the CsrfProtectionMiddleware description has been moved to src/Application.php. In PHP 4.1, CsrfProtectionMiddleware has been moved to src/Application.php.<br>
In PHP 4.1, the CsrfProtectionMiddleware description has been moved to src/Application.php. Therefore, you only need to change src/Application.php.

## Original

src/Application.php
```php
/**
 * Setup the middleware queue your application will use.
 *
 * @param \Cake\Http\MiddlewareQueue $middlewareQueue The middleware queue to setup.
 * @return \Cake\Http\MiddlewareQueue The updated middleware queue.
 */
public function middleware(MiddlewareQueue $middlewareQueue): MiddlewareQueue
{
	$middlewareQueue
		// Catch any exceptions in the lower layers,
		// and make an error page/response
		->add(new ErrorHandlerMiddleware(Configure::read('Error')))

// Handle plugin/theme assets like CakePHP normally does.
		->add(new AssetMiddleware([
			'cacheTime' => Configure::read('Asset.cacheTime'),
		]))

// Add routing middleware.
		// If you have a large number of routes connected, turning on routes
		// caching in production could improve performance. For that when
		// creating the middleware instance specify the cache config name by
		// using it's second constructor argument:
		// `new RoutingMiddleware($this, '_cake_routes_')`
		->add(new RoutingMiddleware($this))

// Parse various types of encoded request bodies so that they are
		// available as array through $request->getData()
		// https://book.cakephp.org/4/en/controllers/middleware.html#body-parser-middleware
		->add(new BodyParserMiddleware())

// Cross Site Request Forgery (CSRF) Protection Middleware
		// https://book.cakephp.org/4/en/controllers/middleware.html#cross-site-request-forgery-csrf-middleware
		->add(new CsrfProtectionMiddleware([
			'httponly' => true,
		]));

return $middlewareQueue;
}
```

## After change

$csrf = new CsrfProtectionMiddleware(['httponly'=>true]);
	$csrf->skipCheckCallback(function($request) {			// Token check will be skipped when callback returns `true`.
		$controller = $request->getParam('controller');
		$action = $request->getParam('action');
		if (is_null($controller) || is_null($action)) {
			return false;
		}
		if (strcmp($controller,'Apis') == 0) {	// Skip token check for API URLs.
			return true;
		}
		return false;
	});

$middlewareQueue
		// Catch any exceptions in the lower layers,
		// and make an error page/response
		->add(new ErrorHandlerMiddleware(Configure::read('Error')))

// Handle plugin/theme assets like CakePHP normally does.
		->add(new AssetMiddleware([
			'cacheTime' => Configure::read('Asset.cacheTime'),
		]))

// Cross Site Request Forgery (CSRF) Protection Middleware
		// https://book.cakephp.org/4/en/controllers/middleware.html#cross-site-request-forgery-csrf-middleware
		//->add(new CsrfProtectionMiddleware([
		//	'httponly' => true,
		//]));
		->add($csrf);