Skip CSRF on embed route to support sessions (#50)

Fixes #33 and #39

Co-authored-by: Laurin Stapf <72888948+LaurinStapf@users.noreply.github.com>
Co-authored-by: J. Glück <65236355+JGlueck-WIKA@users.noreply.github.com>

Author: 3 people

routes/api.php

@@ -1,6 +1,6 @@
 <?php
 
 use WireElements\WireExtender\Http\Controllers\EmbedController;
-use WireElements\WireExtender\Http\Controllers\InjectController;
 
-Route::any('livewire/embed', EmbedController::class);
+Route::any('livewire/embed', EmbedController::class)
+    ->name('wire-extender.embed');

src/Http/Middlewares/IgnoreForWireExtender.php

@@ -19,6 +19,11 @@ trait IgnoreForWireExtender
      */
     public function handle($request, Closure $next)
     {
+        // Embed route must be skipped, otherwise it will not work with sessions
+        if ($request->routeIs('wire-extender.embed')) {
+            return $next($request);
+        }
+
         // We only care about requests from an embedded component
         if (! $this->isLivewireUpdateRequest($request)) {
             return parent::handle($request, $next);
@@ -41,7 +46,7 @@ public function handle($request, Closure $next)
     private function isLivewireUpdateRequest($request): bool
     {
         return $request->method() === 'POST' &&
-            app(LivewireManager::class)->getUpdateUri() === $request->getRequestUri() &&
+            $request->getRequestUri() === app(LivewireManager::class)->getUpdateUri() &&
             $request->hasHeader('X-Wire-Extender') &&
             $request->hasHeader('X-Livewire');
     }