fix security issue on checkout

src/MicroweberPackages/Checkout/resources/views/contact_information.blade.php

@@ -10,6 +10,7 @@
 
 {{--faila se namira v: /src/MicroweberPackages/Checkout/resources/views/contact_information.blade.php--}}
     <form method="post" action="{{ route('checkout.contact_information_save') }}">
+        @csrf
         <div class="mt-5 edit nodrop" field="checkout_personal_information_title">
             <h4 class="mb-0"><?php _e("Personal Information"); ?></h4>
             <small class="text-muted d-block mb-2"> <?php _e("Please fill the fields bellow"); ?></small>
@@ -32,7 +33,7 @@
             <input name="email" type="email" value="<?php if (!empty($checkout_session['email'])) echo $checkout_session['email']; ?>" class="form-control @if(isset($errors['email'])) is-invalid @endif">
             @if(isset($errors['email']))<span class="invalid-feedback">{{$errors['email'][0]}}</span>@endif
         </div>
-        
+
         <div class="form-group @if(isset($errors['phone'])) has-danger @endif">
             <label><?php _e("Phone"); ?></label>
             <input name="phone" type="text" value="<?php if (!empty($checkout_session['phone'])) echo $checkout_session['phone']; ?>" class="form-control @if(isset($errors['phone'])) is-invalid @endif">

src/MicroweberPackages/Checkout/resources/views/payment_method.blade.php

@@ -25,6 +25,9 @@
     @endif
 
     <form method="post" action="{{ route('checkout.payment_method_save') }}">
+
+        @csrf
+
         <div class="shop-cart mt-5">
             <label class="font-weight-bold control-label mb-0"><?php _e("Personal information"); ?></label>
             <small class="text-muted d-block mb-2"> <?php _e("Your information"); ?></small>

src/MicroweberPackages/Checkout/resources/views/shipping_method.blade.php

@@ -21,7 +21,7 @@
     @endif
 
     <form method="post" action="{{ route('checkout.shipping_method_save') }}">
-
+        @csrf
         <div class="shop-cart mt-5">
             <label class="font-weight-bold control-label mb-0"><?php _e("Personal information"); ?></label>
             <small class="text-muted d-block mb-2"> <?php _e("Your information"); ?></small>
@@ -35,7 +35,4 @@
 
         <button type="submit" class="btn btn-primary w-100">{{ _e('Continue') }}</button>
     </form>
-
-
-
 @endsection

src/MicroweberPackages/Checkout/routes/web.php

@@ -3,7 +3,7 @@
 // Private
 Route::name('checkout.')
     ->prefix(route_prefix('checkout'))
-    ->middleware([\MicroweberPackages\Checkout\Http\Middleware\CheckoutV2::class])
+    ->middleware([\MicroweberPackages\App\Http\Middleware\VerifyCsrfToken::class, \MicroweberPackages\Checkout\Http\Middleware\CheckoutV2::class])
     ->namespace('\MicroweberPackages\Checkout\Http\Controllers')
     ->group(function () {
 

userfiles/modules/shop/payments/templates/checkout_v2.php

@@ -18,7 +18,7 @@
 
         $.ajax({
             url: "<?php print route('checkout.payment_method_change') ?>",
-            data: {"payment_gw":paymentModulePath},
+            data: {"payment_gw":paymentModulePath, "_token":"<?php echo csrf_token();?>"},
             method: 'POST',
         }).done(function() {
             var newShippingModuleElement = $('<div/>').appendTo('#mw-payment-gateway-module-' + paymentModule);

userfiles/modules/shop/shipping/templates/checkout_v2.php

@@ -3,7 +3,7 @@
         $('.js-shipping-gateway-box').html('');
         $.ajax({
             url: "<?php print route('checkout.shipping_method_change') ?>",
-            data: {"shipping_gw":shippingModulePath},
+            data: {"shipping_gw":shippingModulePath, "_token":"<?php echo csrf_token();?>"},
             method: 'POST',
         }).done(function() {
             mw.reload_module('shop/cart');