zemailnator/bootstrap/app.php

<?php

use App\Http\Middleware\ImpersonationMiddleware;
use App\Http\Middleware\Locale;
use App\Http\Middleware\WebhookRateLimit;
use Illuminate\Foundation\Application;
use Illuminate\Foundation\Configuration\Exceptions;
use Illuminate\Foundation\Configuration\Middleware;

return Application::configure(basePath: dirname(__DIR__))
    ->withRouting(
        web: __DIR__.'/../routes/web.php',
        api: __DIR__.'/../routes/api.php',
        commands: __DIR__.'/../routes/console.php',
        health: '/up',
    )
    ->withMiddleware(function (Middleware $middleware): void {
        $middleware->web(append: [
            Locale::class,
            ImpersonationMiddleware::class,
        ]);
        $middleware->alias([
            'impersonation' => ImpersonationMiddleware::class,
            'webhook.rate_limit' => WebhookRateLimit::class,
        ]);
        $middleware->validateCsrfTokens(except: [
            'stripe/*',
            'webhook/oxapay',
            'webhook/*', // All webhook endpoints bypass CSRF
        ]);
    })
    ->withExceptions(function (Exceptions $exceptions): void {
        //
    })->create();