chaoyu/app/middleware/Csrf.php

<?php
namespace app\middleware;

use Closure;

/**
 * CSRF校验
 */
class Csrf 
{
    public function handle($request, Closure $next)
    {
        $csrfToken = session('_token');
        if (empty($csrfToken)) {
            $csrfToken = randomStr(1, 32);
            session('_token', $csrfToken);
        }
        $paramToken = input('param._token', '');
        if (!empty($paramToken)) {
            if ($paramToken != $csrfToken) {
                return $this->csrfError($request);
            }
        } elseif($request->isPost() || $request->isAjax()) {
            if (empty($paramToken) || $paramToken != $csrfToken) {
                return $this->csrfError($request);
            }
            //HTTP_REFERER 认证
            $referer = $_SERVER['HTTP_REFERER'] ?? null;
            if(!empty($referer)) {
                $domain = $request->domain();
                $urlInfo = parse_url($referer);
                $scheme = $urlInfo['scheme'] ?? '';
                $requestSrc = '';
                if (!empty($scheme)) {
                    $requestSrc = $scheme.'://'.($urlInfo['host'] ?? '');
                }
                if($domain != $requestSrc) {
                    return $this->csrfError($request);
                }
            }
        }
        $request->csrfToken = $csrfToken;
        return $next($request);
    }

    protected function csrfError($request, $msg = '非法请求, 用户身份认证失败!')
    {
        if($request->isAjax()) {
            return json(['code'=>401, 'msg'=>$msg],200);
        } else {
            $referer = $_SERVER['HTTP_REFERER'] ?? null;
            if (empty($referer)) {
                $url = '/';
            } else {
                $domain = $request->domain();
                $urlInfo = parse_url($referer);
                $scheme = $urlInfo['scheme'] ?? '';
                $requestSrc = '';
                if (!empty($scheme)) {
                    $requestSrc = $scheme.'://'.($urlInfo['host'] ?? '');
                }
                if($domain != $requestSrc) {
                    $url = '/';
                } else {
                    $url = 'javascript:history.back(-1);';
                }
            }
            $errorData = [
                'code'=> 401,
                'msg' => $msg,
                'data' => [],
                'wait' => 5,
                'url' => $url
            ];
            return view('error/400', $errorData);
            // 返回401视图 response type has html、json、jsonp、xml、file、view、redirect
        }
    }
}
更新：迁移cms基本信息，初始化超宇项目 2020-11-25 09:07:06 +08:00			`<?php`
			`namespace app\middleware;`

			`use Closure;`

			`/**`
			`* CSRF校验`
			`*/`
			`class Csrf`
			`{`
			`public function handle($request, Closure $next)`
			`{`
			`$csrfToken = session('_token');`
			`if (empty($csrfToken)) {`
			`$csrfToken = randomStr(1, 32);`
			`session('_token', $csrfToken);`
			`}`
			`$paramToken = input('param._token', '');`
			`if (!empty($paramToken)) {`
			`if ($paramToken != $csrfToken) {`
			`return $this->csrfError($request);`
			`}`
			`} elseif($request->isPost() \|\| $request->isAjax()) {`
			`if (empty($paramToken) \|\| $paramToken != $csrfToken) {`
			`return $this->csrfError($request);`
			`}`
			`//HTTP_REFERER 认证`
			`$referer = $_SERVER['HTTP_REFERER'] ?? null;`
			`if(!empty($referer)) {`
			`$domain = $request->domain();`
			`$urlInfo = parse_url($referer);`
			`$scheme = $urlInfo['scheme'] ?? '';`
			`$requestSrc = '';`
			`if (!empty($scheme)) {`
			`$requestSrc = $scheme.'://'.($urlInfo['host'] ?? '');`
			`}`
			`if($domain != $requestSrc) {`
			`return $this->csrfError($request);`
			`}`
			`}`
			`}`
			`$request->csrfToken = $csrfToken;`
			`return $next($request);`
			`}`

			`protected function csrfError($request, $msg = '非法请求, 用户身份认证失败!')`
			`{`
			`if($request->isAjax()) {`
			`return json(['code'=>401, 'msg'=>$msg],200);`
			`} else {`
			`$referer = $_SERVER['HTTP_REFERER'] ?? null;`
			`if (empty($referer)) {`
			`$url = '/';`
			`} else {`
			`$domain = $request->domain();`
			`$urlInfo = parse_url($referer);`
			`$scheme = $urlInfo['scheme'] ?? '';`
			`$requestSrc = '';`
			`if (!empty($scheme)) {`
			`$requestSrc = $scheme.'://'.($urlInfo['host'] ?? '');`
			`}`
			`if($domain != $requestSrc) {`
			`$url = '/';`
			`} else {`
			`$url = 'javascript:history.back(-1);';`
			`}`
			`}`
			`$errorData = [`
			`'code'=> 401,`
			`'msg' => $msg,`
			`'data' => [],`
			`'wait' => 5,`
			`'url' => $url`
			`];`
			`return view('error/400', $errorData);`
			`// 返回401视图 response type has html、json、jsonp、xml、file、view、redirect`
			`}`
			`}`
			`}`