zhangyuheng/blessing-skin-server
1
0
Fork 0
forked from mirror/blessing-skin-server
Code Pull Requests Activity

Fix CSRF verification

Browse Source
This commit is contained in:
Pig Fang 2018-08-20 23:09:26 +08:00
parent 1275ca92e3
commit aff8e9f058
12 changed files with 46 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
app/Exceptions/Handler.php
View File

@ -5,6 +5,7 @@ namespace App\Exceptions;
use Exception;
use Illuminate\Http\Response;
use App\Exceptions\PrettyPageException;
use Illuminate\Session\TokenMismatchException;
use Illuminate\Database\Eloquent\ModelNotFoundException;
use Illuminate\Validation\ValidationException;
use Symfony\Component\HttpKernel\Exception\HttpException;
@ -22,6 +23,7 @@ class Handler extends ExceptionHandler
protected $dontReport = [
HttpException::class,
ModelNotFoundException::class,
TokenMismatchException::class,
ValidationException::class,
PrettyPageException::class,
MethodNotAllowedHttpException::class,
@ -52,7 +54,14 @@ class Handler extends ExceptionHandler
}
if ($e instanceof MethodNotAllowedHttpException) {
abort(403, 'Method not allowed.');
abort(403, trans('errors.http.method-not-allowed'));
}
if ($e instanceof TokenMismatchException) {
if ($request->expectsJson()) {
return json(trans('errors.http.csrf-token-mismatch'), 1);
}
abort(403, trans('errors.http.csrf-token-mismatch'));
}
if ($e instanceof PrettyPageException) {

1
app/Http/Kernel.php
View File

@ -46,6 +46,7 @@ class Kernel extends HttpKernel
* @var array
*/
protected $routeMiddleware = [
'csrf' => \App\Http\Middleware\VerifyCsrfToken::class,
'auth' => \App\Http\Middleware\CheckAuthenticated::class,
'verified' => \App\Http\Middleware\CheckUserVerified::class,
'guest' => \App\Http\Middleware\RedirectIfAuthenticated::class,

17
app/Http/Middleware/VerifyCsrfToken.php Normal file
View File

@ -0,0 +1,17 @@
<?php
namespace App\Http\Middleware;
use Illuminate\Foundation\Http\Middleware\VerifyCsrfToken as Middleware;
class VerifyCsrfToken extends Middleware
{
/**
* The URIs that should be excluded from CSRF verification.
*
* @var array
*/
protected $except = [
//
];
}

2
app/Providers/RouteServiceProvider.php
View File

@ -55,7 +55,7 @@ class RouteServiceProvider extends ServiceProvider
protected function mapWebRoutes(Router $router)
{
$router->group([
'middleware' => ['web'],
'middleware' => ['web', 'csrf'],
'namespace' => $this->namespace,
], function ($router) {
require base_path('routes/web.php');

5
resources/assets/src/js/net.js
View File

@ -1,12 +1,15 @@
import Vue from 'vue';
import { showAjaxError } from './notify';
const csrfField = document.querySelector('meta[name="csrf-token"]');
const empty = Object.create(null);
const init = {
credentials: 'same-origin',
headers: {
'Accept': 'application/json',
'Content-Type': 'application/json'
'Content-Type': 'application/json',
'X-CSRF-TOKEN': csrfField && csrfField.content
}
};

2
resources/lang/en/errors.yml
View File

@ -3,6 +3,8 @@ http:
msg-404: Nothing here.
msg-500: Please try again later.
msg-503: The application is now in maintenance mode.
method-not-allowed: Method not allowed.
csrf-token-mismatch: Token does not match, try reloading the page.
general:
title: Error occurred

2
resources/lang/zh_CN/errors.yml
View File

@ -3,6 +3,8 @@ http:
msg-404: 这里啥都没有哦
msg-500: 服务器内部错误,请稍后再试
msg-503: 网站维护中
method-not-allowed: 不允许的 HTTP 请求方法
csrf-token-mismatch: Token 不正确,请尝试刷新页面
general:
title: 出现错误

3
resources/views/admin/master.blade.php
View File

@ -6,7 +6,8 @@
<title>@yield('title') - {{ option_localized('site_name') }}</title>
{!! bs_favicon() !!}
<!-- Tell the browser to be responsive to screen width -->
<meta content="width=device-width, initial-scale=1, maximum-scale=1, user-scalable=no" name="viewport">
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1, user-scalable=no">
<meta name="csrf-token" content="{{ csrf_token() }}">
<!-- App Styles -->
@include('common.dependencies.style', ['module' => 'admin'])

1
resources/views/auth/bind.blade.php
View File

@ -13,6 +13,7 @@
<p class="login-box-msg">@lang('auth.bind.message')</p>
<form method="post" id="login-form">
@csrf
<div class="form-group has-feedback">
<input name="email" type="email" class="form-control" placeholder="@lang('auth.email')">
<span class="glyphicon glyphicon-envelope form-control-feedback"></span>

3
resources/views/auth/master.blade.php
View File

@ -5,7 +5,8 @@
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<title>@yield('title') - {{ option_localized('site_name') }}</title>
{!! bs_favicon() !!}
<meta content="width=device-width, initial-scale=1, maximum-scale=1, user-scalable=no" name="viewport">
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1, user-scalable=no">
<meta name="csrf-token" content="{{ csrf_token() }}">
<!-- App Styles -->
@include('common.dependencies.style')

3
resources/views/skinlib/master.blade.php
View File

@ -6,7 +6,8 @@
<title>@yield('title') - {{ option_localized('site_name') }}</title>
{!! bs_favicon() !!}
<!-- Tell the browser to be responsive to screen width -->
<meta content="width=device-width, initial-scale=1, maximum-scale=1, user-scalable=no" name="viewport">
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1, user-scalable=no">
<meta name="csrf-token" content="{{ csrf_token() }}">
<!-- App Styles -->
@include('common.dependencies.style')

3
resources/views/user/master.blade.php
View File

@ -6,7 +6,8 @@
<title>@yield('title') - {{ option_localized('site_name') }}</title>
{!! bs_favicon() !!}
<!-- Tell the browser to be responsive to screen width -->
<meta content="width=device-width, initial-scale=1, maximum-scale=1, user-scalable=no" name="viewport">
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1, user-scalable=no">
<meta name="csrf-token" content="{{ csrf_token() }}">
<!-- App Styles -->
@include('common.dependencies.style')