api防X攻击中间件

app/api/middleware.php

@@ -0,0 +1,14 @@
+<?php
+// 全局中间件定义文件
+return [
+
+    // Session初始化
+    // \think\middleware\SessionInit::class,
+
+    // 系统操作日志
+    // \app\admin\middleware\SystemLog::class,
+
+    // Csrf安全校验
+    \app\api\middleware\CsrfMiddleware::class,
+
+];

app/api/middleware/CsrfMiddleware.php

@@ -0,0 +1,40 @@
+<?php
+namespace app\api\middleware;
+
+use app\Request;
+use CsrfVerify\drive\ThinkphpCache;
+use CsrfVerify\entity\CsrfVerifyEntity;
+use CsrfVerify\interfaces\CsrfVerifyInterface;
+use think\facade\Session;
+
+class CsrfMiddleware
+{
+    use \app\common\traits\JumpTrait;
+
+    public function handle(Request $request, \Closure $next)
+    {
+        if (env('EASYADMIN.IS_CSRF', true)) {
+            if (!in_array($request->method(), ['GET', 'HEAD', 'OPTIONS'])) {
+
+                // 跨域校验
+                $refererUrl = $request->header('REFERER', null);
+                $refererInfo = parse_url($refererUrl);
+                $host = $request->host(true);
+                if (!isset($refererInfo['host']) || $refererInfo['host'] != $host) {
+                    $this->error('当前请求不合法！');
+                }
+
+                // CSRF校验
+                $ckCsrfToken = $request->post('ckCsrfToken', null);
+                $data = !empty($ckCsrfToken) ? ['__token__' => $ckCsrfToken] : [];
+
+                $check = $request->checkToken('__token__', $data);
+                if (!$check) {
+                    $this->error('请求验证失败，请重新刷新页面！');
+                }
+
+            }
+        }
+        return $next($request);
+    }
+}