Skip to content

Instantly share code, notes, and snippets.

@ananth-iyer
Last active October 30, 2023 10:33
  • Star 34 You must be signed in to star a gist
  • Fork 3 You must be signed in to fork a gist
Star You must be signed in to star a gist
Save ananth-iyer/59ecfabcbca73d6c2e3eeb986ed2f3c4 to your computer and use it in GitHub Desktop.
Magento 2.3.0: Implement below code to skip the CSRF check on your custom route called outside Magento environment. This implementation does not break core frontend/adminhtml routes, Magento 2.3/2.2/2.1 web stores.
<?php
namespace Vendor\Module\Plugin;
class CsrfValidatorSkip
{
/**
* @param \Magento\Framework\App\Request\CsrfValidator $subject
* @param \Closure $proceed
* @param \Magento\Framework\App\RequestInterface $request
* @param \Magento\Framework\App\ActionInterface $action
*/
public function aroundValidate(
$subject,
\Closure $proceed,
$request,
$action
) {
/* Magento 2.1.x, 2.2.x */
if ($request->getModuleName() == 'Your_Module_frontName_Here') {
return; // Skip CSRF check
}
/* Magento 2.3.x */
if (strpos($request->getOriginalPathInfo(), 'Add_Controller_frontName') !== false) {
return; // Skip CSRF check
}
$proceed($request, $action); // Proceed Magento 2 core functionalities
}
}
<?xml version="1.0"?>
<config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="urn:magento:framework:ObjectManager/etc/config.xsd">
<type name="Magento\Framework\App\Request\CsrfValidator">
<plugin name="csrf_validator_skip" type="Vendor\Module\Plugin\CsrfValidatorSkip" />
</type>
</config>
@RaulAmnislabs
Copy link

Perfect solution, thanks.

@j0um
Copy link

j0um commented Jun 25, 2019

Thank you very much!

@cosminbosutar
Copy link

Thank you very much!

@sunnykatiyar50
Copy link

where to create the CsrfValidatorSkip.php ?

@ananth-iyer
Copy link
Author

sunnykatiyar50

where to create the CsrfValidatorSkip.php ?

Reply:
Can you see the namespace line of this file?

@afloesch
Copy link

Perfect thanks!

@sarveshlucent
Copy link

@ananth-iyer where can I put di.xml and if there is already one di.xml file exist so what is the solutions.
thanks

@sarveshlucent
Copy link

@ananth-iyer One more question. If I created multiple modules then I need to add these files each and every modules.

@ananth-iyer
Copy link
Author

@sarveshlucent You copy the node from di.xml & put it in your di.xml then change with the module namespace.
Yes, it is good to add these files in each & every module so they don't depend on each other.

@sarveshlucent
Copy link

sarveshlucent commented Nov 6, 2019

@ananth-iyer so please check my new di.xml
Can I write like this ?
<?xml version="1.0"?> <config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="urn:magento:framework:ObjectManager/etc/config.xsd"> <!-- Add Plugin for add custom link in navigation --> <type name="Magento\Theme\Block\Html\Topmenu"> <plugin name="add_menu_item_plugin_new" type="Lucent\MageBrand\Plugin\Topmenu" sortOrder="20" disabled="false"/> </type> <type name="Magento\Framework\App\Request\CsrfValidator"> <plugin name="csrf_validator_skip" type="Lucent\MageBrand\Plugin\CsrfValidatorSkip" /> </type> </config>

@sarveshlucent
Copy link

@ananth-iyer
<?xml version="1.0"?> <config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="urn:magento:framework:ObjectManager/etc/config.xsd"> <!-- Add Plugin for add custom link in navigation --> <type name="Magento\Theme\Block\Html\Topmenu"> <plugin name="add_menu_item_plugin_new" type="Lucent\MageBrand\Plugin\Topmenu" sortOrder="20" disabled="false"/> </type> <type name="Magento\Framework\App\Request\CsrfValidator"> <plugin name="csrf_validator_skip" type="Lucent\MageBrand\Plugin\CsrfValidatorSkip" /> </type> </config>

Is it right way ?

@ananth-iyer
Copy link
Author

@sarveshlucent Yes, it is right way.

@AsadKhan95
Copy link

Sir I have a Issue Sir I have only frontend routes.xml which name is jazzcashm did I need to write it like

if ($request->getModuleName() == 'jazzcashm') {
            return; // Skip CSRF check
        }

I write the same exactly but it is not working for me

@ananth-iyer
Copy link
Author

@AsadKhan95 Can I know the Magento 2 version?

@jchristo1
Copy link

Thank you very much. It was very helpfull

@rehanmobin
Copy link

thanks!

@ananth-iyer
Copy link
Author

I have noticed that it is not working in Magento 2.3.x and will update CsrfValidatorSkip.php soon.

@enx1998
Copy link

enx1998 commented Jun 18, 2020

Hi Ananth Iyer,
do you find a solution for magento 2.3.x for the null problem of $request->getModuleName()?
Thanks ENx.

@ananth-iyer
Copy link
Author

ananth-iyer commented Jun 18, 2020

Hey @enx1998,
You can check the updated both files for Magento 2.3.x and this fix for the null problem of $request->getModuleName()

@enx1998
Copy link

enx1998 commented Jun 18, 2020

Hi @ananth-iyer,
thanks for your code, I found the solution strpos($request->getOriginalPathInfo(), 'Add_Controller_frontName') !== false greatly working with magento 2.3.
Thanks ENX

Copy link

ghost commented Jul 3, 2020

hy sir it was working fine for me too on mageto 2.3 but after restart my project m getting
Exception #0 (InvalidArgumentException): Plugin class Module\Vendor\Plugin\CsrfValidatorSkip doesn't exist
because i didnt include this CsrfValidatorSkip.php
so where this file i have to create in my plugin folder or project vendor folder ??
please reply

@ananth-iyer
Copy link
Author

@pankaj-swarankar Create CsrfValidatorSkip.php file in the Plugin folder

@a-mahmoudieh
Copy link

Excellent for Magento 2.3.5-p2.

@sergioevl
Copy link

Works on Magento 2.4. Thanks.

@kess78
Copy link

kess78 commented Jul 16, 2021

Sorry to bother, but unfortunately I'm not able to implement your solution (and in effect it's exactly what I need. So thank you in advance !)

  • Created Directory app/code/MyVendorName
  • Created Directory app/code/MyVendorName/MyModuleName
  • Created Directory app/code/MyVendorName/MyModuleName/etc
  • Created file app/code/MyVendorName/MyModuleName/etc/di.xml and copied the contents you provided here (adapted <plugin name="csrf_validator_skip" type="MyVendorName\MyModuleName\Plugin\CsrfValidatorSkip" />)
  • Created Directory app/code/MyVendorName/MyModuleName/Plugin
  • Created file app/code/MyVendorName/MyModuleName/Plugin/CsrfValidatorSkip.php and copied the contents you provided here (adapted namespace MyVendorName\MyModuleName\Plugin and also changed Add_Controller_frontName)

Then I've run:
bin/magento setup:upgrade && bin/magento setup:di:compile

How can I determine if the plugin works or not ? Or better, How can I know if the Plugin is loaded or not ? I still receive a 302 response when I try to POST data to https://mysite.com/Add_Controller_frontName.

Magento version is 2.3.6-p1

Thank you for your contribution and for your help

@adarsh-ceymox
Copy link

Perfect solution! thanks mate

@ananth-iyer
Copy link
Author

Hi All, here is another gist to easily enable/disable Xdebug on local - https://gist.github.com/ananth-iyer/cc45380c5f722aedd35a3e9a40ed8c35

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment