2026-02-26 12:02:00 +08:00
|
|
|
|
<?php
|
|
|
|
|
|
|
|
|
|
|
|
use Illuminate\Foundation\Application;
|
|
|
|
|
|
use Illuminate\Foundation\Configuration\Exceptions;
|
|
|
|
|
|
use Illuminate\Foundation\Configuration\Middleware;
|
2026-04-19 12:14:10 +08:00
|
|
|
|
use Illuminate\Http\Request;
|
|
|
|
|
|
use Illuminate\Session\TokenMismatchException;
|
|
|
|
|
|
use Symfony\Component\HttpKernel\Exception\HttpExceptionInterface;
|
2026-02-26 12:02:00 +08:00
|
|
|
|
|
|
|
|
|
|
return Application::configure(basePath: dirname(__DIR__))
|
|
|
|
|
|
->withRouting(
|
|
|
|
|
|
web: __DIR__.'/../routes/web.php',
|
|
|
|
|
|
commands: __DIR__.'/../routes/console.php',
|
|
|
|
|
|
channels: __DIR__.'/../routes/channels.php',
|
|
|
|
|
|
health: '/up',
|
|
|
|
|
|
)
|
2026-02-26 13:35:38 +08:00
|
|
|
|
->withMiddleware(function (Middleware $middleware) {
|
2026-04-19 14:42:42 +08:00
|
|
|
|
$trustedProxies = array_values(array_filter(array_map(
|
|
|
|
|
|
static fn (string $proxy): string => trim($proxy),
|
|
|
|
|
|
explode(',', (string) env('TRUSTED_PROXIES', '127.0.0.1,::1'))
|
|
|
|
|
|
)));
|
|
|
|
|
|
|
2026-03-09 11:53:58 +08:00
|
|
|
|
// 强制解析并信任 CDN (如 Cloudflare) 透传的真实 IP (最高优先级)
|
|
|
|
|
|
$middleware->prepend(\App\Http\Middleware\CloudflareProxies::class);
|
|
|
|
|
|
|
2026-04-19 14:42:42 +08:00
|
|
|
|
// 仅信任显式配置的反向代理 / CDN 节点,避免外部客户端伪造转发头污染 request()->ip()。
|
|
|
|
|
|
// 生产环境需要把实际代理 IP / CIDR 写入 TRUSTED_PROXIES。
|
|
|
|
|
|
$middleware->trustProxies(at: empty($trustedProxies) ? null : $trustedProxies);
|
2026-03-03 13:45:35 +08:00
|
|
|
|
|
2026-02-26 13:35:38 +08:00
|
|
|
|
$middleware->alias([
|
2026-03-09 11:53:58 +08:00
|
|
|
|
'chat.auth' => \App\Http\Middleware\ChatAuthenticate::class,
|
|
|
|
|
|
'chat.level' => \App\Http\Middleware\LevelRequired::class,
|
|
|
|
|
|
'chat.site_owner' => \App\Http\Middleware\SiteOwnerRequired::class,
|
2026-02-28 23:44:38 +08:00
|
|
|
|
'chat.has_position' => \App\Http\Middleware\HasActivePosition::class,
|
2026-02-26 13:35:38 +08:00
|
|
|
|
]);
|
|
|
|
|
|
|
|
|
|
|
|
// 这一步是为了防止用户访问需要登录的页面时,默认被跳到原版 Laravel 未定义的 login 路由报错
|
|
|
|
|
|
$middleware->redirectGuestsTo('/');
|
2026-02-26 12:02:00 +08:00
|
|
|
|
})
|
|
|
|
|
|
->withExceptions(function (Exceptions $exceptions): void {
|
2026-04-19 12:14:10 +08:00
|
|
|
|
$isChatAjaxRequest = static function (Request $request): bool {
|
|
|
|
|
|
return $request->expectsJson() && $request->is(
|
|
|
|
|
|
'room/*/send',
|
|
|
|
|
|
'room/*/heartbeat',
|
|
|
|
|
|
'room/*/leave',
|
|
|
|
|
|
'room/*/announcement',
|
|
|
|
|
|
'gift/*',
|
|
|
|
|
|
'command/*',
|
|
|
|
|
|
'chatbot/*',
|
|
|
|
|
|
'shop/*'
|
|
|
|
|
|
);
|
|
|
|
|
|
};
|
|
|
|
|
|
|
2026-02-28 23:44:38 +08:00
|
|
|
|
// 聊天室 AJAX 接口:CSRF token 过期(419)时,返回 JSON 提示而非重定向
|
|
|
|
|
|
// 防止浏览器收到 302 后以 GET 方式重请求只允许 POST 的路由,产生 405 错误
|
2026-04-19 12:14:10 +08:00
|
|
|
|
$exceptions->render(function (TokenMismatchException $e, Request $request) use ($isChatAjaxRequest) {
|
|
|
|
|
|
if ($isChatAjaxRequest($request)) {
|
|
|
|
|
|
return response()->json([
|
|
|
|
|
|
'status' => 'error',
|
|
|
|
|
|
'message' => '页面已过期,请刷新后重试。',
|
|
|
|
|
|
], 419);
|
|
|
|
|
|
}
|
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
|
|
// Laravel 在某些环境下会先把 TokenMismatchException 包装成 419 HttpException,
|
|
|
|
|
|
// 这里补一层兜底,确保聊天接口始终返回稳定的 JSON,而不是默认 HTML 错误页。
|
|
|
|
|
|
$exceptions->render(function (HttpExceptionInterface $e, Request $request) use ($isChatAjaxRequest) {
|
|
|
|
|
|
if ($e->getStatusCode() === 419 && $isChatAjaxRequest($request)) {
|
2026-02-28 23:44:38 +08:00
|
|
|
|
return response()->json([
|
|
|
|
|
|
'status' => 'error',
|
|
|
|
|
|
'message' => '页面已过期,请刷新后重试。',
|
|
|
|
|
|
], 419);
|
|
|
|
|
|
}
|
|
|
|
|
|
});
|
2026-02-26 12:02:00 +08:00
|
|
|
|
})->create();
|
