I am trying to handle requests from another service (Stripe in particular) that are sent without CSRF tokens. Can't seem to get any handler to process them correctly as they are blocked by the CheckCsrfToken middleware. I have tried creating my own middleware with the deprecated ConfigureMiddleware event, and adding the bypassCsrfToken attribute to the request there. However, this still fails because CheckCsrfToken is called before ConfigureMiddleware in the ApiServiceProvider. I am running out of ideas and maybe beginning to think it isn't possible without changes to the core so asking here for any direction or examples of other extensions handling such requests, as I can't seem to find any. Thanks !
EDIT: I was able to "resolve" this by changing ApiServiceProvider.php, and firing the ConfigureMiddleware event before the CheckCsrfToken middleware:
event(new ConfigureMiddleware($pipe, 'api'));
... but since the event has been marked as deprecated I don't know if this would ever get approved in a pull request. Should i open an issue on github, or is this even considered an issue at all?
EDIT2: above solution is probably unsafe.