34 lines
1.0 KiB
PHP
34 lines
1.0 KiB
PHP
<?php
|
|
|
|
namespace App\Http\Middleware;
|
|
|
|
use Closure;
|
|
use Illuminate\Http\Request;
|
|
use Illuminate\Support\Facades\App;
|
|
use Symfony\Component\HttpFoundation\Response;
|
|
|
|
class VerifyTokenOrigin
|
|
{
|
|
public function handle(Request $request, Closure $next): Response
|
|
{
|
|
$requestAgent = strtolower($request->header('User-Agent'));
|
|
// Only enforce this block in production
|
|
if (! App::hasDebugModeEnabled()) {
|
|
$blockedClients = ['postman', 'curl', 'insomnia'];
|
|
|
|
foreach ($blockedClients as $client) {
|
|
if (str_contains($requestAgent, $client)) {
|
|
return response()->json(['message' => 'API clients are not allowed in production.'], 403);
|
|
}
|
|
}
|
|
|
|
// Optional: Only allow browsers
|
|
if (! str_contains($requestAgent, 'mozilla') && ! str_contains($requestAgent, 'chrome')) {
|
|
return response()->json(['message' => 'Requests must come from a browser in production.'], 403);
|
|
}
|
|
}
|
|
|
|
return $next($request);
|
|
}
|
|
}
|