Questions about csrf protection

working forward protecting my site, I enabled csrf protection and noted two effects, which I do not understand:
1) I use jquery autocomplete which calls a function which is not in the "except" list for csrf and the ajax call also do not pass any token. Still, the autocomplete works. Is this magic?
2) In trying to understand the effect under 1), I added the two methods PUT and GET to csrf in Filters.php:

Code:

public array $methods = [
        'GET'  => ['csrf'],
        'POST' => ['csrf'],
    ];

However, after doing this, the functions listed in the except list were blocked although they were not before. In my case it was the POST method. Taking it away from the $methods list, made everything return as before. Does the definition of the $method array overwrite the except list?
I can live with this two effects at the moment, since 1) I do not want to filter autocomplete and 2) I don't need the $methods array, but I'd like to know for the future...
Thank you btw for the good work! Everything works perfectly as soon as one understand how to use it.

Run ./spark routes in terminal. Show applied filters for URL

See https://github.com/codeigniter4/CodeIgni...s.php#L398
Order:

PHP Code:

            $this->processFilters($uri);
            $this->processMethods();
            $this->processGlobals($uri); 


Simple CI 4 project for beginners codeigniter-expenses ( topic )

Run ./spark routes in terminal. Show applied filters for URL

See https://github.com/codeigniter4/CodeIgni...s.php#L398
Order:

PHP Code:

            $this->processFilters($uri);
            $this->processMethods();
            $this->processGlobals($uri); 


Thank you.
So If I understand right, the $methods should not override the $globals i.e. the "except" list.
Here the output of spark routes WITH the $methods filled with GET & POST (the csrf seems to be just added by setting the $methods):

Code:

+-----------+----------------------------+--------------------+--------------------------------------------------------------------+---------------------------------------+---------------+
| Method    | Route                      | Name              | Handler                                                            | Before Filters                        | After Filters |
+-----------+----------------------------+--------------------+--------------------------------------------------------------------+---------------------------------------+---------------+
| GET      | /                          | »                  | \App\Controllers\Catalogue::index                                  | setcurrentlocale csrf csrf            | toolbar      |
| GET      | catalogue                  | »                  | \App\Controllers\Catalogue::index                                  | setcurrentlocale csrf csrf            | toolbar      |
| GET      | catalogue/(.*)            | »                  | \App\Controllers\Catalogue::$1                                    | setcurrentlocale csrf csrf            | toolbar      |
| GET      | maintenance/(.*)          | »                  | \App\Controllers\Maintenance::$1                                  | setcurrentlocale csrf group          | toolbar      |
| GET      | stats/(.*)                | »                  | \App\Controllers\Stats::$1                                        | setcurrentlocale csrf csrf            | toolbar      |
| GET      | forum/(.*)                | »                  | \App\Controllers\Forum::$1                                        | setcurrentlocale csrf                | toolbar      |
| GET      | register                  | »                  | \CodeIgniter\Shield\Controllers\RegisterController::registerView  | setcurrentlocale csrf csrf auth-rates | toolbar      |
| GET      | login                      | »                  | \CodeIgniter\Shield\Controllers\LoginController::loginView        | setcurrentlocale csrf csrf auth-rates | toolbar      |
| GET      | login/magic-link          | magic-link        | \CodeIgniter\Shield\Controllers\MagicLinkController::loginView    | setcurrentlocale csrf csrf auth-rates | toolbar      |
| GET      | login/verify-magic-link    | verify-magic-link  | \CodeIgniter\Shield\Controllers\MagicLinkController::verify        | setcurrentlocale csrf csrf auth-rates | toolbar      |
| GET      | logout                    | »                  | \CodeIgniter\Shield\Controllers\LoginController::logoutAction      | setcurrentlocale csrf csrf            | toolbar      |
| GET      | auth/a/show                | auth-action-show  | \CodeIgniter\Shield\Controllers\ActionController::show            | setcurrentlocale csrf csrf auth-rates | toolbar      |
| POST      | catalogue/(.*)            | »                  | \App\Controllers\Catalogue::$1                                    | setcurrentlocale csrf csrf            | toolbar      |
| POST      | maintenance/(.*)          | »                  | \App\Controllers\Maintenance::$1                                  | setcurrentlocale csrf group          | toolbar      |
| POST      | forum/(.*)                | »                  | \App\Controllers\Forum::$1                                        | setcurrentlocale csrf                | toolbar      |
| POST      | register                  | »                  | \CodeIgniter\Shield\Controllers\RegisterController::registerAction | setcurrentlocale csrf csrf auth-rates | toolbar      |
| POST      | login                      | »                  | \CodeIgniter\Shield\Controllers\LoginController::loginAction      | setcurrentlocale csrf csrf auth-rates | toolbar      |
| POST      | login/magic-link          | »                  | \CodeIgniter\Shield\Controllers\MagicLinkController::loginAction  | setcurrentlocale csrf csrf auth-rates | toolbar      |
| POST      | auth/a/handle              | auth-action-handle | \CodeIgniter\Shield\Controllers\ActionController::handle          | setcurrentlocale csrf csrf auth-rates | toolbar      |
| POST      | auth/a/verify              | auth-action-verify | \CodeIgniter\Shield\Controllers\ActionController::verify          | setcurrentlocale csrf csrf auth-rates | toolbar      |

dd

And without:

Code:

+-----------+----------------------------+--------------------+--------------------------------------------------------------------+----------------------------------+---------------+
| Method    | Route                      | Name              | Handler                                                            | Before Filters                  | After Filters |
+-----------+----------------------------+--------------------+--------------------------------------------------------------------+----------------------------------+---------------+
| GET      | /                          | »                  | \App\Controllers\Catalogue::index                                  | setcurrentlocale csrf            | toolbar      |
| GET      | catalogue                  | »                  | \App\Controllers\Catalogue::index                                  | setcurrentlocale csrf            | toolbar      |
| GET      | catalogue/(.*)            | »                  | \App\Controllers\Catalogue::$1                                    | setcurrentlocale csrf            | toolbar      |
| GET      | maintenance/(.*)          | »                  | \App\Controllers\Maintenance::$1                                  | setcurrentlocale group          | toolbar      |
| GET      | stats/(.*)                | »                  | \App\Controllers\Stats::$1                                        | setcurrentlocale csrf            | toolbar      |
| GET      | forum/(.*)                | »                  | \App\Controllers\Forum::$1                                        | setcurrentlocale                | toolbar      |
| GET      | register                  | »                  | \CodeIgniter\Shield\Controllers\RegisterController::registerView  | setcurrentlocale csrf auth-rates | toolbar      |
| GET      | login                      | »                  | \CodeIgniter\Shield\Controllers\LoginController::loginView        | setcurrentlocale csrf auth-rates | toolbar      |
| GET      | login/magic-link          | magic-link        | \CodeIgniter\Shield\Controllers\MagicLinkController::loginView    | setcurrentlocale csrf auth-rates | toolbar      |
| GET      | login/verify-magic-link    | verify-magic-link  | \CodeIgniter\Shield\Controllers\MagicLinkController::verify        | setcurrentlocale csrf auth-rates | toolbar      |
| GET      | logout                    | »                  | \CodeIgniter\Shield\Controllers\LoginController::logoutAction      | setcurrentlocale csrf            | toolbar      |
| GET      | auth/a/show                | auth-action-show  | \CodeIgniter\Shield\Controllers\ActionController::show            | setcurrentlocale csrf auth-rates | toolbar      |
| POST      | catalogue/(.*)            | »                  | \App\Controllers\Catalogue::$1                                    | setcurrentlocale csrf            | toolbar      |
| POST      | maintenance/(.*)          | »                  | \App\Controllers\Maintenance::$1                                  | setcurrentlocale group          | toolbar      |
| POST      | forum/(.*)                | »                  | \App\Controllers\Forum::$1                                        | setcurrentlocale                | toolbar      |
| POST      | register                  | »                  | \CodeIgniter\Shield\Controllers\RegisterController::registerAction | setcurrentlocale csrf auth-rates | toolbar      |
| POST      | login                      | »                  | \CodeIgniter\Shield\Controllers\LoginController::loginAction      | setcurrentlocale csrf auth-rates | toolbar      |
| POST      | login/magic-link          | »                  | \CodeIgniter\Shield\Controllers\MagicLinkController::loginAction  | setcurrentlocale csrf auth-rates | toolbar      |
| POST      | auth/a/handle              | auth-action-handle | \CodeIgniter\Shield\Controllers\ActionController::handle          | setcurrentlocale csrf auth-rates | toolbar      |
| POST      | auth/a/verify              | auth-action-verify | \CodeIgniter\Shield\Controllers\ActionController::verify          | setcurrentlocale csrf auth-rates | toolbar      |

The mentioned autocomplete functions are in the Catalogue class controller

First, if you set the csrf filter to GET requests, it does not protect the GET requests (does not check the CSRF token).
It just puts a CSRF token in <form> when you use Form helper to create <form> tag.

Warning
The CSRF Protection is only available for POST/PUT/PATCH/DELETE requests. Requests for other methods are not protected.

See https://codeigniter.com/user_guide/libra...rgery-csrf

ci-phpunit-test | CodeIgniter Testing Guide | CodeIgniter 3 to 4 Upgrade Helper

I do net set the csrf filter to GET, the first example was only to show what happens if I define the $methods array. My normal setting is the second one, with $methods = []. I do not however understand, why, even in the case where I do not explicitly set $method=['GET'} the csrf filter is applied to GET as shown in the second output...
My ajax calls are always POST.

How did you set the csrf filter?
If you set it in $globals, it will be applied to all URIs.

ci-phpunit-test | CodeIgniter Testing Guide | CodeIgniter 3 to 4 Upgrade Helper

I did, as indicated in the documentation under "Enable CSRF Protection", set it in $globals. What would be the other method?

Using $globals is good for most environment.
https://codeigniter.com/user_guide/libra...protection

ci-phpunit-test | CodeIgniter Testing Guide | CodeIgniter 3 to 4 Upgrade Helper