Login

Gary · 04-24-2020, 03:58 PM

Of course, one needs to get the Javascript to intercept it client-side too.

This is the after filter:

Code:
    public function after(RequestInterface $request, ResponseInterface $response) {

        $response->populateHeaders();

        $format = $response->getHeaderLine('content-type');

        if (strpos($format, 'html') === FALSE) {

            $body = $response->getBody();

            $body = sendCSRF().$body;

            $response->setBody($body);

        }

        return;

    }

And sendCSRF() is a simple custom helper function that produces the token with a termination marker the Javascript slices the (in my case) leading token off after:

Code:
function sendCSRF(string $string='') {

        return (csrf_hash().'XX-YOUR-CUSTOM-TOKEN-END-DEMARCATION-CHARS-XX'.$string);

    }

Currently it gets sent with all JavaScript responses, but it would be easy enough to customise, for example by which headers were on the outgoing response.

I use sendCSRF() elsewhere (which is why it has a string paramerter passed in, it can obviously be omitted).