Disabling CSRF in CakePHP4 for specific controllers and actions

Category：CakePHP4

Pub.date：2020-08-06

If you want to disable CSRF check for a specific controller or action in CakePHP 4.1, it would be as follows <br>
As of PHP 4.1, the CsrfProtectionMiddleware description has been moved to src/Application.php. In PHP 4.1, CsrfProtectionMiddleware has been moved to src/Application.php.<br>
In PHP 4.1, the CsrfProtectionMiddleware description has been moved to src/Application.php. Therefore, you only need to change src/Application.php.

## Original

src/Application.php
```php
/**
 * Setup the middleware queue your application will use.
 *
 * @param \Cake\Http\MiddlewareQueue $middlewareQueue The middleware queue to setup.
 * @return \Cake\Http\MiddlewareQueue The updated middleware queue.
 */
public function middleware(MiddlewareQueue $middlewareQueue): MiddlewareQueue
{
	$middlewareQueue
		// Catch any exceptions in the lower layers,
		// and make an error page/response
		->add(new ErrorHandlerMiddleware(Configure::read('Error')))

// Handle plugin/theme assets like CakePHP normally does.
		->add(new AssetMiddleware([
			'cacheTime' => Configure::read('Asset.cacheTime'),
		]))

// Add routing middleware.
		// If you have a large number of routes connected, turning on routes
		// caching in production could improve performance. For that when
		// creating the middleware instance specify the cache config name by
		// using it's second constructor argument:
		// `new RoutingMiddleware($this, '_cake_routes_')`
		->add(new RoutingMiddleware($this))

// Parse various types of encoded request bodies so that they are
		// available as array through $request->getData()
		// https://book.cakephp.org/4/en/controllers/middleware.html#body-parser-middleware
		->add(new BodyParserMiddleware())

// Cross Site Request Forgery (CSRF) Protection Middleware
		// https://book.cakephp.org/4/en/controllers/middleware.html#cross-site-request-forgery-csrf-middleware
		->add(new CsrfProtectionMiddleware([
			'httponly' => true,
		]));

return $middlewareQueue;
}
```

## After change

$csrf = new CsrfProtectionMiddleware(['httponly'=>true]);
	$csrf->skipCheckCallback(function($request) {			// Token check will be skipped when callback returns `true`.
		$controller = $request->getParam('controller');
		$action = $request->getParam('action');
		if (is_null($controller) || is_null($action)) {
			return false;
		}
		if (strcmp($controller,'Apis') == 0) {	// Skip token check for API URLs.
			return true;
		}
		return false;
	});

$middlewareQueue
		// Catch any exceptions in the lower layers,
		// and make an error page/response
		->add(new ErrorHandlerMiddleware(Configure::read('Error')))

// Handle plugin/theme assets like CakePHP normally does.
		->add(new AssetMiddleware([
			'cacheTime' => Configure::read('Asset.cacheTime'),
		]))

// Cross Site Request Forgery (CSRF) Protection Middleware
		// https://book.cakephp.org/4/en/controllers/middleware.html#cross-site-request-forgery-csrf-middleware
		//->add(new CsrfProtectionMiddleware([
		//	'httponly' => true,
		//]));
		->add($csrf);