PonyMirrors/Pony.fm
1
0
Fork 0
mirror of https://github.com/Poniverse/Pony.fm.git synced 2025-02-19 19:34:23 +01:00
Code Issues Projects Releases Packages Wiki Activity

Removed obsolete CSRF validation middleware. CSRF tokens are validated on all requests.

Browse source
This commit is contained in:
Peter Deltchev 2015-11-23 21:47:26 -08:00
parent 35cd4d65e4
commit 395a894bdd
3 changed files with 2 additions and 51 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
app/Http/Kernel.php
View file

@ -49,6 +49,5 @@ class Kernel extends HttpKernel
'auth.basic' => \Illuminate\Auth\Middleware\AuthenticateWithBasicAuth::class, 'auth.basic' => \Illuminate\Auth\Middleware\AuthenticateWithBasicAuth::class,
'can' => \Poniverse\Ponyfm\Http\Middleware\Authorize::class, 'can' => \Poniverse\Ponyfm\Http\Middleware\Authorize::class,
'guest' => \Poniverse\Ponyfm\Http\Middleware\RedirectIfAuthenticated::class, 'guest' => \Poniverse\Ponyfm\Http\Middleware\RedirectIfAuthenticated::class,
'csrf' => \Poniverse\Ponyfm\Http\Middleware\VerifyCsrfHeader::class,
]; ];
} }

46
app/Http/Middleware/VerifyCsrfHeader.php
View file

@ -1,46 +0,0 @@
<?php
/**
* Pony.fm - A community for pony fan music.
* Copyright (C) 2015 Peter Deltchev
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
namespace Poniverse\Ponyfm\Http\Middleware;
use Closure;
use Illuminate\Session\TokenMismatchException;
use Session;
class VerifyCsrfHeader
{
/**
* Handle an incoming request.
*
* @param \Illuminate\Http\Request $request
* @param \Closure $next
* @return mixed
* @throws TokenMismatchException
*/
public function handle($request, Closure $next)
{
if (Session::token() != $request->input('_token') && Session::token() != $request->header('X-Token')) {
throw new TokenMismatchException;
}
return $next($request);
}
}

6
app/Http/routes.php
View file

@ -98,7 +98,7 @@ Route::group(['prefix' => 'api/web'], function() {
Route::get('/dashboard', 'Api\Web\DashboardController@getIndex'); Route::get('/dashboard', 'Api\Web\DashboardController@getIndex');
Route::group(['middleware' => 'auth|csrf'], function() { Route::group(['middleware' => 'auth'], function() {
Route::post('/tracks/upload', 'Api\Web\TracksController@postUpload'); Route::post('/tracks/upload', 'Api\Web\TracksController@postUpload');
Route::post('/tracks/delete/{id}', 'Api\Web\TracksController@postDelete'); Route::post('/tracks/delete/{id}', 'Api\Web\TracksController@postDelete');
Route::post('/tracks/edit/{id}', 'Api\Web\TracksController@postEdit'); Route::post('/tracks/edit/{id}', 'Api\Web\TracksController@postEdit');
@ -142,9 +142,7 @@ Route::group(['prefix' => 'api/web'], function() {
Route::get('/favourites/playlists', 'Api\Web\FavouritesController@getPlaylists'); Route::get('/favourites/playlists', 'Api\Web\FavouritesController@getPlaylists');
}); });
Route::group(['middleware' => 'csrf'], function(){ Route::post('/auth/logout', 'Api\Web\AuthController@postLogout');
Route::post('/auth/logout', 'Api\Web\AuthController@postLogout');
});
}); });
Route::group(['prefix' => 'account', 'middleware' => 'auth'], function() { Route::group(['prefix' => 'account', 'middleware' => 'auth'], function() {