I'm trying to create a Facebook Page Tab which points to my website. Facebook sends a HTTP POST request to the url of my website. The problem here is that the server has a built-in CSRF check, and it returns the following error:
(Plug.CSRFProtection.InvalidCSRFTokenError) invalid CSRF (Cross Site Forgery Protection) token, make sure all requests include a '_csrf_token' param or an 'x-csrf-token' header`
The server expects a CSRF token that Facebook can't have. So, I want to selectively disable CSRF for the path www.mywebsite.com/facebook.
How can I do it in Phoenix Framework?
The Plug.CSRFProtection is enabled in your router with protect_from_forgery. This is set by default in the browser pipeline. Once a plug has been added, there is no way to disable it, instead it has to be not set in the first place. You can do this by moving it out of browser and only including it when it is required.
defmodule Foo.Router do
use Foo.Web, :router
pipeline :browser do
plug :accepts, ["html"]
plug :fetch_session
plug :fetch_flash
#plug :protect_from_forgery - move this
end
pipeline :csrf do
plug :protect_from_forgery # to here
end
pipeline :api do
plug :accepts, ["json"]
end
scope "/", Foo do
pipe_through [:browser, :csrf] # Use both browser and csrf pipelines
get "/", PageController, :index
end
scope "/", Foo do
pipe_through :browser # Use only the browser pipeline
get "/facebook", PageController, :index #You can use the same controller and actions if you like
end
end
来源:https://stackoverflow.com/questions/32580974/how-to-selectively-disable-csrf-check-in-phoenix-framework