Disable web middleware per Route::group

Question

In Laravel 5.2 the web middleware is included on all routes by default. However, I would like to disable this middleware for all routes within my Api route group without having to specify in each controller to ignore the web middleware.

I do not wish to remove the middleware all together as this is a hybrid app serving both types of clients and still require the xsrf-checking. Is there a way to ignore or 'except' middleware per route group?

Answer 1

Since Laravel 7.7 you can use excluded_middleware property eg:

Route::group([
    'prefix' => 'forgot-password',
    'excluded_middleware' => ['auth'],
], function () {
    Route::post('send-email', 'ForgotPasswordController@sendEmail');
    Route::post('save-new-password', 'ForgotPasswordController@saveNewPassword');
});

Answer 2

My Approach

You may separate you routes file in another file. Check RouteServiceProvider class. In map method, add another line:

public function map(Router $router)
{
    $this->mapWebRoutes($router);

    // This method will register your routes which doesn't need 'web' middleware 
    $this->mapNoMiddlewareRoutes($router);
}

Then add mapNoMiddlewareRoutes method:

protected function mapNoMiddlewareRoutes(Router $router)
{
    $router->group([
        'namespace' => $this->namespace,
    ], function ($router) {
        require app_path('Http/no_middleware_routes.php');
    });
}

}

Finally, add no_middleware_routes.php file within app/Http folder.

Route::get('/foo', function () {
    return ['foo' => 'bar'];
});

2nd Approach

Based on this article, you can use except attribute.

// app/Http/Middleware/VerifyCsrfToken.php

protected $except = [
    'webhook/*'
];

As you can see from the example, you can utilize wildcards for route matching or define each one individually. Internally, this array is ran through $request->is and you can find more details about that in the requests documentation.

Read more at CSRF Protection documentation