CSRF exclusion for legacy actions

Author: riasvdv

yii2-adapter/legacy/web/Controller.php

@@ -17,6 +17,7 @@
 use CraftCms\Cms\Cp\Html\ElementHtml;
 use CraftCms\Cms\ProjectConfig\ProjectConfig;
 use CraftCms\Cms\User\Elements\User;
+use Illuminate\Foundation\Http\Middleware\PreventRequestForgery;
 use Illuminate\Support\Facades\Auth;
 use Illuminate\Support\Facades\Gate;
 use InvalidArgumentException;
@@ -58,6 +59,17 @@ abstract class Controller extends \yii\web\Controller
     public const ALLOW_ANONYMOUS_LIVE = 1;
     public const ALLOW_ANONYMOUS_OFFLINE = 2;
 
+    public $enableCsrfValidation = true {
+        get => $this->enableCsrfValidation;
+        set($value) {
+            $this->enableCsrfValidation = (bool) $value;
+
+            if (!$this->enableCsrfValidation) {
+                $this->registerCsrfValidationExclusion();
+            }
+        }
+    }
+
     /**
      * @var int|bool|int[]|string[] Whether this controller’s actions can be accessed anonymously.
      *
@@ -139,6 +151,41 @@ public function init(): void
         }
 
         parent::init();
+
+        if (!$this->enableCsrfValidation) {
+            $this->registerCsrfValidationExclusion();
+        }
+    }
+
+    public function registerCsrfValidationExclusion(): void
+    {
+        if (!isset($this->id, $this->module)) {
+            return;
+        }
+
+        PreventRequestForgery::except($this->csrfValidationExclusionUris());
+    }
+
+    private function csrfValidationExclusionUris(): array
+    {
+        $route = trim($this->getUniqueId(), '/');
+
+        if ($route === '') {
+            return [];
+        }
+
+        $actionTrigger = trim(Cms::config()->actionTrigger, '/');
+        $cpTrigger = trim(Cms::config()->cpTrigger, '/');
+
+        return collect([
+            $route,
+            implode('/', array_filter([$actionTrigger, $route], fn(string $segment) => $segment !== '')),
+            implode('/', array_filter([$cpTrigger, $actionTrigger, $route], fn(string $segment) => $segment !== '')),
+        ])
+            ->flatMap(fn(string $route) => [$route, "$route/*"])
+            ->unique()
+            ->values()
+            ->all();
     }
 
     /**

yii2-adapter/routes/web.php

@@ -1,5 +1,6 @@
 <?php
 
+use CraftCms\Yii2Adapter\Http\ExcludeCsrfValidationForLegacyController;
 use CraftCms\Yii2Adapter\Http\LegacyMiddleware;
 use Illuminate\Support\Facades\Route;
 
@@ -11,6 +12,7 @@
 })
     ->middleware([
         'craft',
+        ExcludeCsrfValidationForLegacyController::class,
         'craft.web',
         LegacyMiddleware::class,
     ])

yii2-adapter/src/Http/ExcludeCsrfValidationForLegacyController.php

@@ -0,0 +1,27 @@
+<?php
+
+namespace CraftCms\Yii2Adapter\Http;
+
+use Closure;
+use Craft;
+use craft\web\Controller;
+use Illuminate\Http\Request;
+
+class ExcludeCsrfValidationForLegacyController
+{
+    public function handle(Request $request, Closure $next): mixed
+    {
+        if (!$request->isActionRequest()) {
+            return $next($request);
+        }
+
+        $result = Craft::$app?->createController(implode('/', $request->actionSegments()));
+        $controller = is_array($result) ? $result[0] : null;
+
+        if ($controller instanceof Controller && !$controller->enableCsrfValidation) {
+            $controller->registerCsrfValidationExclusion();
+        }
+
+        return $next($request);
+    }
+}

yii2-adapter/tests-laravel/Http/LegacyCsrfCompatibilityTest.php

@@ -0,0 +1,50 @@
+<?php
+
+namespace craft\controllers {
+    use craft\web\Controller;
+    use yii\web\Response;
+
+    class CsrfCompatibilityController extends Controller
+    {
+        public $enableCsrfValidation = false;
+
+        protected array|bool|int $allowAnonymous = true;
+
+        public function actionPing(): Response
+        {
+            return $this->asJson(['ok' => true]);
+        }
+    }
+}
+
+namespace {
+    use CraftCms\Cms\Cms;
+    use CraftCms\Yii2Adapter\Http\ExcludeCsrfValidationForLegacyController;
+    use Illuminate\Foundation\Http\Middleware\PreventRequestForgery;
+    use Illuminate\Http\Request;
+
+    it('excludes legacy controller action URLs when CSRF validation is disabled', function() {
+        $property = new ReflectionProperty(PreventRequestForgery::class, 'neverVerify');
+        $original = $property->getValue();
+
+        try {
+            $request = Request::create('/actions/csrf-compatibility/ping', 'POST');
+
+            app(ExcludeCsrfValidationForLegacyController::class)->handle($request, fn() => response('ok'));
+
+            $actionTrigger = trim(Cms::config()->actionTrigger, '/');
+            $cpTrigger = trim(Cms::config()->cpTrigger, '/');
+
+            expect(app(PreventRequestForgery::class)->getExcludedPaths())->toContain(
+                'csrf-compatibility',
+                'csrf-compatibility/*',
+                "$actionTrigger/csrf-compatibility",
+                "$actionTrigger/csrf-compatibility/*",
+                "$cpTrigger/$actionTrigger/csrf-compatibility",
+                "$cpTrigger/$actionTrigger/csrf-compatibility/*",
+            );
+        } finally {
+            $property->setValue(null, $original);
+        }
+    });
+}