From 70d516b7ceb2d75273c7d2a50e0876f3c1b7ebc7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Micha=C3=ABl=20Lecerf?= <miclf@users.noreply.github.com>
Date: Wed, 5 Nov 2014 13:09:12 +0100
Subject: [PATCH] Prevent TokenMismatchException for HTTP OPTIONS requests

`OPTIONS` HTTP requests should be treated in the same way than `GET` requests by the `VerifyCsrfToken` middleware. Otherwise, an exception is thrown, thus preventing any `OPTIONS` route to work.
---
 app/Http/Middleware/VerifyCsrfToken.php | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/app/Http/Middleware/VerifyCsrfToken.php b/app/Http/Middleware/VerifyCsrfToken.php
index 7f287fcf..be50c1d6 100644
--- a/app/Http/Middleware/VerifyCsrfToken.php
+++ b/app/Http/Middleware/VerifyCsrfToken.php
@@ -17,7 +17,7 @@ class VerifyCsrfToken implements Middleware {
 	 */
 	public function handle($request, Closure $next)
 	{
-		if ($request->method() == 'GET' || $this->tokensMatch($request))
+		if ($this->isReadOnly($request) || $this->tokensMatch($request))
 		{
 			return $next($request);
 		}
@@ -36,4 +36,15 @@ protected function tokensMatch($request)
 		return $request->session()->token() == $request->input('_token');
 	}
 
+	/**
+	 * Determine if the HTTP request uses a ‘read’ verb.
+	 *
+	 * @param  \Illuminate\Http\Request  $request
+	 * @return bool
+	 */
+	protected function isReadOnly($request)
+	{
+		return in_array($request->method(), ['GET', 'OPTIONS']);
+	}
+
 }