Removed obsolete CSRF validation middleware. CSRF tokens are validated on all requests.

2025-02-16 18:14:23 +01:00 · 2015-11-23 21:47:26 -08:00 · 2015-11-23 21:47:26 -08:00 · 395a894bdd
commit 395a894bdd
parent 35cd4d65e4
3 changed files with 2 additions and 51 deletions
--- a/app/Http/Kernel.php
+++ b/app/Http/Kernel.php
@ -49,6 +49,5 @@ class Kernel extends HttpKernel
        'auth.basic' => \Illuminate\Auth\Middleware\AuthenticateWithBasicAuth::class,
        'can' => \Poniverse\Ponyfm\Http\Middleware\Authorize::class,
        'guest' => \Poniverse\Ponyfm\Http\Middleware\RedirectIfAuthenticated::class,
-        'csrf' => \Poniverse\Ponyfm\Http\Middleware\VerifyCsrfHeader::class,
    ];
 }
--- a/app/Http/Middleware/VerifyCsrfHeader.php
+++ b/app/Http/Middleware/VerifyCsrfHeader.php
@ -1,46 +0,0 @@
-<?php
-
-/**
- * Pony.fm - A community for pony fan music.
- * Copyright (C) 2015 Peter Deltchev
- *
- * This program is free software: you can redistribute it and/or modify
- * it under the terms of the GNU Affero General Public License as published by
- * the Free Software Foundation, either version 3 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU Affero General Public License for more details.
- *
- * You should have received a copy of the GNU Affero General Public License
- * along with this program.  If not, see <http://www.gnu.org/licenses/>.
- */
-
-namespace Poniverse\Ponyfm\Http\Middleware;
-
-use Closure;
-use Illuminate\Session\TokenMismatchException;
-use Session;
-
-class VerifyCsrfHeader
-{
-
-    /**
-     * Handle an incoming request.
-     *
-     * @param  \Illuminate\Http\Request $request
-     * @param  \Closure $next
-     * @return mixed
-     * @throws TokenMismatchException
-     */
-    public function handle($request, Closure $next)
-    {
-        if (Session::token() != $request->input('_token') && Session::token() != $request->header('X-Token')) {
-            throw new TokenMismatchException;
-        }
-
-        return $next($request);
-    }
-}
--- a/app/Http/routes.php
+++ b/app/Http/routes.php
@ -98,7 +98,7 @@ Route::group(['prefix' => 'api/web'], function() {

    Route::get('/dashboard', 'Api\Web\DashboardController@getIndex');

-    Route::group(['middleware' => 'auth|csrf'], function() {
+    Route::group(['middleware' => 'auth'], function() {
        Route::post('/tracks/upload', 'Api\Web\TracksController@postUpload');
        Route::post('/tracks/delete/{id}', 'Api\Web\TracksController@postDelete');
        Route::post('/tracks/edit/{id}', 'Api\Web\TracksController@postEdit');
@ -142,9 +142,7 @@ Route::group(['prefix' => 'api/web'], function() {
        Route::get('/favourites/playlists', 'Api\Web\FavouritesController@getPlaylists');
    });

-    Route::group(['middleware' => 'csrf'], function(){
-        Route::post('/auth/logout', 'Api\Web\AuthController@postLogout');
-    });
+    Route::post('/auth/logout', 'Api\Web\AuthController@postLogout');
 });

 Route::group(['prefix' => 'account', 'middleware' => 'auth'], function() {