diff --git a/app/Exceptions/Handler.php b/app/Exceptions/Handler.php index a8dec512..72a8e953 100644 --- a/app/Exceptions/Handler.php +++ b/app/Exceptions/Handler.php @@ -5,6 +5,7 @@ namespace App\Exceptions; use Exception; use Illuminate\Http\Response; use App\Exceptions\PrettyPageException; +use Illuminate\Session\TokenMismatchException; use Illuminate\Database\Eloquent\ModelNotFoundException; use Illuminate\Validation\ValidationException; use Symfony\Component\HttpKernel\Exception\HttpException; @@ -22,6 +23,7 @@ class Handler extends ExceptionHandler protected $dontReport = [ HttpException::class, ModelNotFoundException::class, + TokenMismatchException::class, ValidationException::class, PrettyPageException::class, MethodNotAllowedHttpException::class, @@ -52,7 +54,14 @@ class Handler extends ExceptionHandler } if ($e instanceof MethodNotAllowedHttpException) { - abort(403, 'Method not allowed.'); + abort(403, trans('errors.http.method-not-allowed')); + } + + if ($e instanceof TokenMismatchException) { + if ($request->expectsJson()) { + return json(trans('errors.http.csrf-token-mismatch'), 1); + } + abort(403, trans('errors.http.csrf-token-mismatch')); } if ($e instanceof PrettyPageException) { diff --git a/app/Http/Kernel.php b/app/Http/Kernel.php index f0efebfd..1b024d8c 100644 --- a/app/Http/Kernel.php +++ b/app/Http/Kernel.php @@ -46,6 +46,7 @@ class Kernel extends HttpKernel * @var array */ protected $routeMiddleware = [ + 'csrf' => \App\Http\Middleware\VerifyCsrfToken::class, 'auth' => \App\Http\Middleware\CheckAuthenticated::class, 'verified' => \App\Http\Middleware\CheckUserVerified::class, 'guest' => \App\Http\Middleware\RedirectIfAuthenticated::class, diff --git a/app/Http/Middleware/VerifyCsrfToken.php b/app/Http/Middleware/VerifyCsrfToken.php new file mode 100644 index 00000000..0c13b854 --- /dev/null +++ b/app/Http/Middleware/VerifyCsrfToken.php @@ -0,0 +1,17 @@ +group([ - 'middleware' => ['web'], + 'middleware' => ['web', 'csrf'], 'namespace' => $this->namespace, ], function ($router) { require base_path('routes/web.php'); diff --git a/resources/assets/src/js/net.js b/resources/assets/src/js/net.js index 409aa713..a85d0ad4 100644 --- a/resources/assets/src/js/net.js +++ b/resources/assets/src/js/net.js @@ -1,12 +1,15 @@ import Vue from 'vue'; import { showAjaxError } from './notify'; +const csrfField = document.querySelector('meta[name="csrf-token"]'); + const empty = Object.create(null); const init = { credentials: 'same-origin', headers: { 'Accept': 'application/json', - 'Content-Type': 'application/json' + 'Content-Type': 'application/json', + 'X-CSRF-TOKEN': csrfField && csrfField.content } }; diff --git a/resources/lang/en/errors.yml b/resources/lang/en/errors.yml index 3cd9724f..05f8518e 100644 --- a/resources/lang/en/errors.yml +++ b/resources/lang/en/errors.yml @@ -3,6 +3,8 @@ http: msg-404: Nothing here. msg-500: Please try again later. msg-503: The application is now in maintenance mode. + method-not-allowed: Method not allowed. + csrf-token-mismatch: Token does not match, try reloading the page. general: title: Error occurred diff --git a/resources/lang/zh_CN/errors.yml b/resources/lang/zh_CN/errors.yml index cc9c05a2..c8a1b3ec 100644 --- a/resources/lang/zh_CN/errors.yml +++ b/resources/lang/zh_CN/errors.yml @@ -3,6 +3,8 @@ http: msg-404: 这里啥都没有哦 msg-500: 服务器内部错误,请稍后再试 msg-503: 网站维护中 + method-not-allowed: 不允许的 HTTP 请求方法 + csrf-token-mismatch: Token 不正确,请尝试刷新页面 general: title: 出现错误 diff --git a/resources/views/admin/master.blade.php b/resources/views/admin/master.blade.php index e4745620..5357a5b9 100644 --- a/resources/views/admin/master.blade.php +++ b/resources/views/admin/master.blade.php @@ -6,7 +6,8 @@
@lang('auth.bind.message')