Disabling CSRF in Laravel 11

[colinmackinlay]

Since upgrading to L11 I get an error when submitting support bubble requests: CSRF token mismatch.

I have the suggested exception inVerifyCsrfToken.php:

<?php

namespace App\Http\Middleware;

use Illuminate\Foundation\Http\Middleware\VerifyCsrfToken as Middleware;

class VerifyCsrfToken extends Middleware
{
    protected $except = [
        'support-bubble',
    ];
}

This worked fine pre-upgrade but now that middleware is dealt with differently this class isn't part of the applied middleware. I don't really want to manually apply all the standard middleware and just change VerifyCsrfToken to my own one.

Can anyone help?

PS I've filed this under bugs but its probably more about a documentation update being needed for L11 and CSRF

[jonodonovan]

Did you get it to work?

[colinmackinlay]

@jonodonovan unfortunately not. I've disabled it entirely for now which is a shame. If I get time I'd like to try it in a fresh L11 installation which I expect to work and then try to work out what breaks it in my setup.

[jonodonovan]

I found the fix

In boostrap/app add

->withMiddleware(function (Middleware $middleware) {
        $middleware->validateCsrfTokens(except: [
			'support-bubble',
		]);
    })

Then update the env file from

QUEUE_CONNECTION=database

to

QUEUE_CONNECTION=sync

Tested working locally and prod

[colinmackinlay]

@jonodonovan magic! Fixed for me - didn't need to change my queue in local or production. I've created a pull request to readme.md