✨ WIP: added custom CSRF middleware for SPA routes

Introduced `VerifySpaCsrfToken` middleware to enhance CSRF handling for SPAs. Configured middleware stack with conditional CSRF verification based on config flags. Added configuration options for CSRF cookie customization in `config/socialment.php`.

Author: chrisreedio

config/socialment.php

@@ -37,6 +37,14 @@
             // Replace with your own JsonResource class if you want to customize the response
             // 'me' => \ChrisReedIO\Socialment\Http\Resources\UserResponse::class,
         ],
+        'cookies' => [
+            'csrf' => [
+                'custom' => false, // Experimental
+                'name' => env('SOCIALMENT_SPA_CSRF_NAME', 'XSRF-TOKEN'),
+                'header' => env('SOCIALMENT_SPA_CSRF_HEADER', 'X-XSRF-TOKEN'),
+                'domain' => env('SOCIALMENT_SPA_DOMAIN', env('SESSION_DOMAIN')),
+            ],
+        ],
     ],
 
     'models' => [

routes/spa.php

@@ -3,8 +3,27 @@
 use ChrisReedIO\Socialment\Http\Controllers\CsrfCookieController;
 use ChrisReedIO\Socialment\Http\Controllers\SocialmentController;
 use ChrisReedIO\Socialment\Http\Controllers\SpaAuthController;
+use ChrisReedIO\Socialment\Http\Middleware\VerifySpaCsrfToken;
+use Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse;
+use Illuminate\Cookie\Middleware\EncryptCookies;
+use Illuminate\Foundation\Http\Middleware\VerifyCsrfToken;
+use Illuminate\Routing\Middleware\SubstituteBindings;
+use Illuminate\Session\Middleware\StartSession;
 use Illuminate\Support\Facades\Route;
+use Illuminate\View\Middleware\ShareErrorsFromSession;
 
+// Define middleware stack, replacing VerifyCsrfToken if config flag is set
+// $spaMiddleware = [
+//     EncryptCookies::class,
+//     AddQueuedCookiesToResponse::class,
+//     StartSession::class,
+//     ShareErrorsFromSession::class,
+//     config('socialment.spa.cookies.csrf.custom') ? VerifySpaCsrfToken::class : VerifyCsrfToken::class,
+//     SubstituteBindings::class,
+// ];
+
+// Apply custom middleware stack to SPA routes
+// Route::middleware($spaMiddleware)->group(function () {
 // Custom SPA specific route for getting a CSRF cookie
 Route::get('sanctum/csrf-cookie', [CsrfCookieController::class, 'show'])->name('csrf-cookie');
 // Non-Social User Login
@@ -13,7 +32,9 @@
 Route::get('login/{provider}', [SocialmentController::class, 'redirectSpa'])
     ->name('redirect');
 // Authenticated Routes
-Route::middleware(['auth:sanctum'])->group(function () {
+// Route::middleware(['auth:sanctum'])->group(function () {
+Route::middleware(['auth'])->group(function () {
     Route::post('logout', [SpaAuthController::class, 'logout'])->name('logout');
     Route::get('me', [SpaAuthController::class, 'me'])->name('me');
 });
+// });

src/Http/Middleware/VerifySpaCsrfToken.php

@@ -0,0 +1,70 @@
+<?php
+
+namespace ChrisReedIO\Socialment\Http\Middleware;
+
+use Closure;
+use Illuminate\Contracts\Encryption\DecryptException;
+use Illuminate\Cookie\CookieValuePrefix;
+use Illuminate\Cookie\Middleware\EncryptCookies;
+use Illuminate\Foundation\Http\Middleware\VerifyCsrfToken;
+use Illuminate\Http\Request;
+use Symfony\Component\HttpFoundation\Cookie;
+use Symfony\Component\HttpFoundation\Response;
+
+class VerifySpaCsrfToken extends VerifyCsrfToken
+{
+    /**
+     * Get the CSRF token from the request.
+     *
+     * @param  Request  $request
+     * @return string|null
+     */
+    protected function getTokenFromRequest($request): ?string
+    {
+        $headerName = config('socialment.spa.cookies.csrf.header', 'X-XSRF-TOKEN');
+        $token = $request->input('_token') ?: $request->header($headerName);
+
+        if (! $token && $header = $request->header($headerName)) {
+            try {
+                $token = CookieValuePrefix::remove($this->encrypter->decrypt($header, static::serialized()));
+            } catch (DecryptException) {
+                $token = '';
+            }
+        }
+
+        return $token;
+    }
+
+    /**
+     * Create a new "XSRF-TOKEN" cookie that contains the CSRF token.
+     *
+     * @param  Request  $request
+     * @param  array  $config
+     * @return Cookie
+     */
+    protected function newCookie($request, $config): Cookie
+    {
+        return new Cookie(
+            config('socialment.spa.cookies.csrf.name', 'XSRF-TOKEN'),
+            $request->session()->token(),
+            $this->availableAt(60 * $config['lifetime']),
+            $config['path'],
+            config('socialment.spa.cookies.csrf.domain') ?? $config['domain'],
+            $config['secure'],
+            false,
+            false,
+            $config['same_site'] ?? null,
+            $config['partitioned'] ?? false
+        );
+    }
+
+    /**
+     * Determine if the cookie contents should be serialized.
+     *
+     * @return bool
+     */
+    public static function serialized(): bool
+    {
+        return EncryptCookies::serialized(config('socialment.spa.cookies.csrf.name', 'XSRF-TOKEN'));
+    }
+}

src/SocialmentServiceProvider.php

@@ -2,23 +2,30 @@
 
 namespace ChrisReedIO\Socialment;
 
+use ChrisReedIO\Socialment\Http\Middleware\VerifySpaCsrfToken;
 use ChrisReedIO\Socialment\Testing\TestsSocialment;
 use Filament\Support\Assets\Asset;
 use Filament\Support\Facades\FilamentAsset;
 use Filament\Support\Facades\FilamentIcon;
 use Illuminate\Filesystem\Filesystem;
+use Illuminate\Foundation\Http\Middleware\VerifyCsrfToken;
 use Illuminate\Support\Facades\Route;
 use Livewire\Features\SupportTesting\Testable;
 use Spatie\LaravelPackageTools\Commands\InstallCommand;
 use Spatie\LaravelPackageTools\Package;
 use Spatie\LaravelPackageTools\PackageServiceProvider;
 
+use function array_merge;
+use function config;
+
 class SocialmentServiceProvider extends PackageServiceProvider
 {
     public static string $name = 'socialment';
 
     public static string $viewNamespace = 'socialment';
 
+    public static string $middlewareGroupName = 'web_spa';
+
     public function configurePackage(Package $package): void
     {
         /*
@@ -59,18 +66,28 @@ public function configurePackage(Package $package): void
     public function packageRegistered(): void
     {
         $this->app->singleton(SocialmentPlugin::class, fn () => new SocialmentPlugin());
-    }
 
-    public function packageBooted(): void
-    {
-        Route::macro('spaAuth', function (string $prefix = 'spa') {
+        Route::macro('spaInit', function (string $prefix = 'spa') {
             $namePrefix = 'socialment.spa.';
             $namePrefix .= ($prefix === 'spa') ? 'default.' : "{$prefix}.";
 
-            Route::middleware('web')
-                ->prefix($prefix)
-                ->as($namePrefix)
-                ->group(__DIR__ . '/../routes/spa.php');
+            $useCustomCsrf = config('socialment.spa.cookies.csrf.custom');
+
+            $dashboardSpaMiddleware = [
+                \Illuminate\Cookie\Middleware\EncryptCookies::class,
+                \Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse::class,
+                \Illuminate\Session\Middleware\StartSession::class,
+                \Illuminate\View\Middleware\ShareErrorsFromSession::class,
+                $useCustomCsrf
+                    ? \ChrisReedIO\Socialment\Http\Middleware\VerifySpaCsrfToken::class
+                    : \Illuminate\Foundation\Http\Middleware\VerifyCsrfToken::class,
+                \Illuminate\Routing\Middleware\SubstituteBindings::class,
+            ];
+
+            Route::middlewareGroup(SocialmentServiceProvider::$middlewareGroupName, $dashboardSpaMiddleware);
+
+            // Route::middleware([SocialmentServiceProvider::$middlewareGroupName])
+            //     ->group(__DIR__.'/../routes/spa.php');
 
             // Now add this to the cors paths
             config([
@@ -83,8 +100,103 @@ public function packageBooted(): void
             config([
                 'cors.supports_credentials' => true,
             ]);
+            // collect(Route::getRoutes())
+            //     ->filter(fn ($route) => str_starts_with($route->uri(), $prefix))
+            //     ->each(function (\Illuminate\Routing\Route $route) use ($dashboardSpaMiddleware) {
+            //         $route->action['middleware'] = array_values(array_diff($route->action['middleware'], ['web']));
+            //         $route->middleware($dashboardSpaMiddleware);
+            //     });
         });
 
+        Route::macro('spaAuth', function (string $prefix = 'spa') {
+            $namePrefix = 'socialment.spa.';
+            $namePrefix .= ($prefix === 'spa') ? 'default.' : "{$prefix}.";
+
+            // $useCustomCsrf = config('socialment.spa.cookies.csrf.custom');
+            // dd($useCustomCsrf);
+
+
+            // $dashboardSpaMiddleware = [
+            //     \Illuminate\Cookie\Middleware\EncryptCookies::class,
+            //     \Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse::class,
+            //     \Illuminate\Session\Middleware\StartSession::class,
+            //     \Illuminate\View\Middleware\ShareErrorsFromSession::class,
+            //     $useCustomCsrf
+            //         ? \ChrisReedIO\Socialment\Http\Middleware\VerifySpaCsrfToken::class
+            //         : \Illuminate\Foundation\Http\Middleware\VerifyCsrfToken::class,
+            //     \Illuminate\Routing\Middleware\SubstituteBindings::class,
+            // ];
+            //
+            // // dd($dashboardSpaMiddleware);
+            //
+            // Route::middlewareGroup(SocialmentServiceProvider::$middlewareGroupName, $dashboardSpaMiddleware);
+
+            Route::middleware([SocialmentServiceProvider::$middlewareGroupName])
+                // ->prefix($prefix)
+                // ->as($namePrefix)
+                ->group(__DIR__.'/../routes/spa.php');
+
+            // Now add this to the cors paths
+            // config([
+            //     'cors.paths' => array_merge(config('cors.paths'), [
+            //         "{$prefix}/*",
+            //     ]),
+            // ]);
+
+            // Set the supports_credentials flag or the frontend can't send the goodies
+            // config([
+            //     'cors.supports_credentials' => true,
+            // ]);
+
+            // Apply middleware conditionally to all routes with the '/dashboard' prefix
+            // Route::middlewareGroup('spa', [
+            //     \Illuminate\Cookie\Middleware\EncryptCookies::class,
+            //     \Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse::class,
+            //     \Illuminate\Session\Middleware\StartSession::class,
+            //     \Illuminate\View\Middleware\ShareErrorsFromSession::class,
+            //     config('socialment.spa.cookies.csrf.custom')
+            //         ? VerifySpaCsrfToken::class
+            //         : VerifyCsrfToken::class,
+            //     \Illuminate\Routing\Middleware\SubstituteBindings::class,
+            // ]);
+
+
+            // Apply 'dashboard_spa' group to any routes prefixed with '/dashboard'
+            // Route::middleware('spa')
+            //     ->prefix('dashboard')
+            //     ->group(function () {
+            //         //
+            //     });
+            // Use the `Route` facade to get all routes and modify them if they start with `/dashboard`
+            // collect(Route::getRoutes())
+            //     ->filter(fn ($route) => str_starts_with($route->uri(), $prefix))
+            //     ->each(function (\Illuminate\Routing\Route $route) use ($dashboardSpaMiddleware) {
+            //         // if ($route->uri() === 'dashboard/me') {
+            //         //     dump($route);
+            //         // }
+            //         // dump($route);
+            //         // Replace the middleware stack for this route
+            //         // Unset any 'values' of 'web' in the action's middleware
+            //         $route->action['middleware'] = array_values(array_diff($route->action['middleware'], ['web']));
+            //         // Insert our middleware group name at the start of the array
+            //         // array_unshift($route->action['middleware'], SocialmentServiceProvider::$middlewareGroupName);
+            //         // $route->middleware(SocialmentServiceProvider::$middlewareGroupName);
+            //         $route->middleware($dashboardSpaMiddleware);
+            //         // if ($route->uri() === 'dashboard/me') {
+            //         // dump($route);
+            //         // $middleware = $route->gatherMiddleware();
+            //         // dd($middleware);
+            //         // dd('done');
+            //         // }
+            //         // }
+            //     });
+            // dd('done');
+        });
+
+    }
+
+    public function packageBooted(): void
+    {
         // Asset Registration
         FilamentAsset::register(
             $this->getAssets(),
@@ -101,7 +213,7 @@ public function packageBooted(): void
 
         // Handle Stubs
         if (app()->runningInConsole()) {
-            foreach (app(Filesystem::class)->files(__DIR__ . '/../stubs/') as $file) {
+            foreach (app(Filesystem::class)->files(__DIR__.'/../stubs/') as $file) {
                 $this->publishes([
                     $file->getRealPath() => base_path("stubs/socialment/{$file->getFilename()}"),
                 ], 'socialment-stubs');