CodeIgniter Forums
CSRF via http header? - Printable Version

+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: CodeIgniter 4 (https://forum.codeigniter.com/forumdisplay.php?fid=28)
+--- Forum: CodeIgniter 4 Support (https://forum.codeigniter.com/forumdisplay.php?fid=30)
+--- Thread: CSRF via http header? (/showthread.php?tid=71843)

CSRF via http header? - albertleao - 09-30-2018

I looked through the docs and it didn't seem like it was supported, but as time has moved on many of us use front end frameworks like Vue or Angular. Since the front end javascript frameworks are handling our forms, it becomes a little tedious to attach the csrf token to every form we're going to upload.

Will CI4 also accept a csrf token being passed in via the http header on post? At least in the library that I use (Axios), it would be easy to setup every form post to include the csrf token from the beginning via the header. As far as I know, you can't add them as post data by default.

RE: CSRF via http header? - scalla - 09-30-2018

Check this stackoverflow link https://stackoverflow.com/questions/45523101/how-to-refer-laravel-csrf-field-inside-a-vue-template

RE: CSRF via http header? - unodepiera - 09-30-2018

(09-30-2018, 10:56 PM)albertleao Wrote: I looked through the docs and it didn't seem like it was supported, but as time has moved on many of us use front end frameworks like Vue or Angular. Since the front end javascript frameworks are handling our forms, it becomes a little tedious to attach the csrf token to every form we're going to upload.

Will CI4 also accept a csrf token being passed in via the http header on post? At least in the library that I use (Axios), it would be easy to setup every form post to include the csrf token from the beginning via the header. As far as I know, you can't add them as post data by default.

I your Angular, React or Vue app is not inside your project you not need send a CSRF token via HTTP Header, you can send Authorization Header combined with some filter before the request has been processed like this:

App/Filters/ApiAuth.php filter
PHP Code:
<?php
namespace App\Filters;

use CodeIgniter\Filters\FilterInterface;
use CodeIgniter\HTTP\RequestInterface;
use CodeIgniter\HTTP\ResponseInterface;
use CodeIgniter\Services;

class ApiAuth implements FilterInterface {

    /**
     * Do whatever processing this filter needs to do.
     * By default it should not return anything during
     * normal execution. However, when an abnormal state
     * is found, it should return an instance of
     * CodeIgniter\HTTP\Response. If it does, script
     * execution will end and that Response will be
     * sent back to the client, allowing for error pages,
     * redirects, etc.
     *
     * @param \CodeIgniter\HTTP\RequestInterface $request
     *
     * @return mixed
     */
    public function beforeRequestInterface $request ) {
        if ( ! $request->getHeader('Authorization') || $request->getHeaderLine('Authorization') !== 'SUPERTOKEN') {
            $response Services::response();
            return $response->setJSON(['res' => 'Unauthorized']);
        }
    }

    /**
     * Allows After filters to inspect and modify the response
     * object as needed. This method does not allow any way
     * to stop execution of other after filters, short of
     * throwing an Exception or Error.
     *
     * @param \CodeIgniter\HTTP\RequestInterface $request
     * @param \CodeIgniter\HTTP\ResponseInterface $response
     *
     * @return mixed
     */
    public function afterRequestInterface $requestResponseInterface $response ) {
        // TODO: Implement after() method.
    }


App/Config/Filters.php
PHP Code:
<?php namespace Config;

use App\Filters\ApiAuth;
use CodeIgniter\Config\BaseConfig;

class Filters extends BaseConfig
{
    // Makes reading things below nicer,
    // and simpler to change out script that's used.
    public $aliases = [
        'csrf'       => \App\Filters\CSRF::class,
        'toolbar' => \App\Filters\DebugToolbar::class,
        'honeypot' => \App\Filters\Honeypot::class,
        'api-auth' => ApiAuth::class
    ];

    // Always applied before every request
    public $globals = [
        'before' => [
            //'honeypot'
            'csrf' => ['except' => [
                'api/*'
            ]],
        ],
        'after'  => [
            'toolbar',
            //'honeypot'
        ]
    ];

    public $methods = [];

    public $filters = [
        'api-auth' => ['before' => ['api*']]
    ];


If your app is inside your project then you can do it:

Code:
$.ajax({
    url: 'some url',
    type: 'POST',
    data: {
        '<?php echo csrf_token() ?>': '<?php echo csrf_hash() ?>'
    },
    success: function (data) {
  
    }
})


RE: CSRF via http header? - puschie - 10-01-2018

but the idea is good - we should support header-csrf tokens for better compatibility. its used by many front end frameworks

RE: CSRF via http header? - unodepiera - 10-01-2018

(10-01-2018, 02:55 AM)puschie Wrote: but the idea is good - we should support header-csrf tokens for better compatibility. its used by many front end frameworks

I have been working with Angular, Vuejs and React for a long time and I always manage authorization with tokens using Bearer, usually with JWT, never with CSRF, but it is my experience. The reason is that it is a standard applicable to any project and does not depend on the Framework.