如果您添加了 API 前缀路由并希望禁用 POST、PUT API 请求的 Csrf 保护,请按照下面列出的步骤操作。
首先添加API前缀路由到
config/routes.php
$routes->prefix('api', function (RouteBuilder $routes): void {
$routes->setExtensions(['json', 'xml'])
$routes->connect(
'/token',
['controller' => 'Users', 'action' => 'token']
)->setMethods(['POST']);
$routes->resources('Users');
$routes->resources('Pages');
});
现在更新
src/Application.php
。
public function middleware(MiddlewareQueue $middlewareQueue): MiddlewareQueue
{
$csrf = new CsrfProtectionMiddleware(['httponly' => true]);
// Disable CSRF for API
// Token check will be skipped when callback returns `true`.
$csrf->skipCheckCallback(function ($request) {
// Skip token check for API URLs.
if ($request->getParam('prefix') === 'Api') {
return true;
}
});
.
.
.
.
->add($csrf);
return $middlewareQueue;
}
我尝试了上面的代码,它可以工作。
一个简单的解决方案是:
src/Application.php
->add((new CsrfProtectionMiddleware([
'httponly' => true,
]))->skipCheckCallback(function ($request) {
// Skip token check for API URLs.
if (strtolower($request->getParam('controller')) === 'messages') {
return true;
}
}));