CSRF middleware still being applied

[jasonmccreary]

Hey-o! I'm very interested in using this package for Shift. Unfortunately, I wasn't able to get the demo to work.

I dug around a bit, and it seems the wire-extender.js isn't sending the headers (e.g. X-Wire-Extender). In addition, the URI being called is not livewire/update, but livewire/embed. Without these the isLivewireUpdateRequest returns false and the default VerifyCsrfToken middleware is applied.

Even with these the middleware still fails when checking the payload. My component had name directly. Not under snapshot.memo.name.

-            $snapshot = json_decode($component['snapshot'], true);
-            $component = $snapshot['memo']['name'] ?? false;
+            $component = $component['name'] ?? false;

In the end, I was able to get my component working with session data (auth user) after bypassing the additional header and URI checks, as well as changing the payload structure.

I'd love to see this package working as intended. I'm glad to help in any way I can. But I'm not very familiar with Livewire internals to know the right way to fix this.

[MasterZydra]

I have the same issue. My solution for now is to use v1.0.0.

I think the issue is that parent::handle() is now called if ! $this->isLivewireUpdateRequest($request) in v1.0.1 while it was not called in v1.0.0

d7ca599#diff-419f5970a486c8dbd8db66010b9ffaac5493e6a285af93e801f85bbe75dc9568

[jasonmccreary]

I don't think this call should be removed completedly. It should be updated to handle the appropriate Livewire requests, with the expected headers. I just don't know what those are... It'll take a maintainer to provide some guidance as to how this should work.