Prevent TokenMismatchException for HTTP OPTIONS requests

`OPTIONS` HTTP requests should be treated in the same way than `GET` requests by the `VerifyCsrfToken` middleware. Otherwise, an exception is thrown, thus preventing any `OPTIONS` route to work.

Prevent TokenMismatchException for HTTP OPTIONS requests
`OPTIONS` HTTP requests should be treated in the same way than `GET` requests by the `VerifyCsrfToken` middleware. Otherwise, an exception is thrown, thus preventing any `OPTIONS` route to work.
70d516b7 · Michaël Lecerf · 27aa85cc · 70d516b7
Commit 70d516b7 authored Nov 05, 2014 by Michaël Lecerf
Hide whitespace changes
Inline Side-by-side

Showing with 12 additions and 1 deletions

app/Http/Middleware/VerifyCsrfToken.php
+12 -1

No files found.
--- a/app/Http/Middleware/VerifyCsrfToken.php
+++ b/app/Http/Middleware/VerifyCsrfToken.php
@@ -17,7 +17,7 @@ class VerifyCsrfToken implements Middleware {
 	 */
 	public function handle($request, Closure $next)
 	{
-		if ($request->method() == 'GET' || $this->tokensMatch($request))
+		if ($this->isReadOnly($request) || $this->tokensMatch($request))
 		{
 			return $next($request);
 		}
@@ -36,4 +36,15 @@ class VerifyCsrfToken implements Middleware {
 		return $request->session()->token() == $request->input('_token');
 	}

+	/**
+	 * Determine if the HTTP request uses a ‘read’ verb.
+	 *
+	 * @param  \Illuminate\Http\Request  $request
+	 * @return bool
+	 */
+	protected function isReadOnly($request)
+	{
+		return in_array($request->method(), ['GET', 'OPTIONS']);
+	}
+
 }