Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums CodeIgniter 4 CodeIgniter 4 Support CSRF disabled API
CSRF disabled API
  • Offline wllfl
    Newbie
  • *
  • Posts: 3
    Threads: 2
    Joined: Dec 2021
    Reputation: 0
#1
04-15-2023, 06:50 AM

Good morning,

I'm having trouble isolating the CSRF protection to just my pages.

I would like this check not to be done for the API, but I came across this conflict:
Code:
public $globals = [
        'before' => [
            'autorizacao' => [
                'except' => [
                    'dashboard/login',
                    'ajax/usuario/login',
                    'dashboard/esqueceu-senha',
                    'api/*'
                ]
            ],
            'csrf' => [ // THIS RULE IS NOT WORKING
                'except' => [
                    'api/*'
                ]
            ],
        ],
        'after' => [
            'toolbar',
        ],
    ];

It seems to me that there is a conflict that this rule:
Code:
public $methods = [
        'post' => ['csrf']
    ];

because the "api/*" endpoints are always checked due to the "method" being set to "post".
Reply
  • Offline wllfl
    Newbie
  • *
  • Posts: 3
    Threads: 2
    Joined: Dec 2021
    Reputation: 0
#2
04-15-2023, 12:19 PM

I made a change in the sources of the script "system/Filters/Filters.php", so that you can review the "excepts" before running the Filters:

Code:
public function initialize(?string $uri = null)
    {
        if ($this->initialized === true) {
            return $this;
        }

        $this->processGlobals($uri);
        $this->processMethods();
        $this->processFilters($uri);
        $this->processExceptGlobals($uri); // <- ADD METHOD

        // Set the toolbar filter to the last position to be executed
        if (in_array('toolbar', $this->filters['after'], true)
            && ($count = count($this->filters['after'])) > 1
            && $this->filters['after'][$count - 1] !== 'toolbar'
        ) {
            array_splice($this->filters['after'], array_search('toolbar', $this->filters['after'], true), 1);
            $this->filters['after'][] = 'toolbar';
        }

        $this->processAliasesToClass('before');
        $this->processAliasesToClass('after');

        $this->initialized = true;

        return $this;
    }

I created this method:

Code:
protected function processExceptGlobals(?string $uri = null)
    {
        if (isset($this->config->globals['before'])) {

            $uri = strtolower(trim($uri ?? '', '/ '));
           
            foreach ($this->config->globals['before'] as $alias => $rules) {
                if (is_array($rules) && isset($rules['except'])) {   
                    $check = $rules['except'];
                    if ($this->pathApplies($uri, $check)) {
                        foreach($this->filters['before'] as $alias2 => $rules2){
                            if ($rules2 == $alias) unset($this->filters['before'][$alias2]);
                        }
                    }
                }
            }

        }
    }
Reply
  • Offline InsiteFX
    Super Moderator
  • ******
  • Posts: 6,793
    Threads: 347
    Joined: Oct 2014
    Reputation: 248
#3
04-15-2023, 11:24 PM

You should never modify system files! If you need to make changes extend the system file classes.
What did you Try? What did you Get? What did you Expect?

Joined CodeIgniter Community 2009.  ( Skype: insitfx )
Reply
  • Offline kenjis
    Administrator
  • *******
  • Posts: 3,671
    Threads: 96
    Joined: Oct 2014
    Reputation: 231
#4
04-16-2023, 05:33 AM

If you set csrf in $global, you don't need to set it $methods.
ci-phpunit-test | CodeIgniter Testing Guide | CodeIgniter 3 to 4 Upgrade Helper
Reply




Theme © iAndrew 2016 - Forum software by © MyBB