One possible solution is to modify the VerifyCsrfToken middleware to exclude certain subdomains from CSRF protection. This can be done by adding a condition to the shouldPassThrough method that checks the current subdomain and excludes it if it matches a list of allowed subdomains.
Here's an example implementation:
// app/Http/Middleware/VerifyCsrfToken.php
namespace App\Http\Middleware;
use Illuminate\Foundation\Http\Middleware\VerifyCsrfToken as Middleware;
class VerifyCsrfToken extends Middleware
{
protected $exceptSubdomains = [
'staging',
];
protected function shouldPassThrough($request)
{
foreach ($this->exceptSubdomains as $subdomain) {
if ($request->subdomain() === $subdomain) {
return true;
}
}
return parent::shouldPassThrough($request);
}
}
In this example, we've added a property $exceptSubdomains that contains a list of subdomains that should be excluded from CSRF protection. We then override the shouldPassThrough method to check if the current subdomain matches any of the allowed subdomains, and if so, return true to skip CSRF protection.
Note that this implementation assumes that you have a custom subdomain method on your Request object that returns the current subdomain. You may need to implement this method yourself depending on your application's routing setup.
Also note that excluding certain subdomains from CSRF protection may introduce security risks, so be sure to carefully consider the implications before implementing this solution.