(09-30-2018, 10:56 PM)albertleao Wrote: I looked through the docs and it didn't seem like it was supported, but as time has moved on many of us use front end frameworks like Vue or Angular. Since the front end javascript frameworks are handling our forms, it becomes a little tedious to attach the csrf token to every form we're going to upload.
Will CI4 also accept a csrf token being passed in via the http header on post? At least in the library that I use (Axios), it would be easy to setup every form post to include the csrf token from the beginning via the header. As far as I know, you can't add them as post data by default.
I your Angular, React or Vue app is not inside your project you not need send a CSRF token via HTTP Header, you can send Authorization Header combined with some filter before the request has been processed like this:
App/Filters/ApiAuth.php filter
PHP Code:
<?php
namespace App\Filters;
use CodeIgniter\Filters\FilterInterface;
use CodeIgniter\HTTP\RequestInterface;
use CodeIgniter\HTTP\ResponseInterface;
use CodeIgniter\Services;
class ApiAuth implements FilterInterface {
/**
* Do whatever processing this filter needs to do.
* By default it should not return anything during
* normal execution. However, when an abnormal state
* is found, it should return an instance of
* CodeIgniter\HTTP\Response. If it does, script
* execution will end and that Response will be
* sent back to the client, allowing for error pages,
* redirects, etc.
*
* @param \CodeIgniter\HTTP\RequestInterface $request
*
* @return mixed
*/
public function before( RequestInterface $request ) {
if ( ! $request->getHeader('Authorization') || $request->getHeaderLine('Authorization') !== 'SUPERTOKEN') {
$response = Services::response();
return $response->setJSON(['res' => 'Unauthorized']);
}
}
/**
* Allows After filters to inspect and modify the response
* object as needed. This method does not allow any way
* to stop execution of other after filters, short of
* throwing an Exception or Error.
*
* @param \CodeIgniter\HTTP\RequestInterface $request
* @param \CodeIgniter\HTTP\ResponseInterface $response
*
* @return mixed
*/
public function after( RequestInterface $request, ResponseInterface $response ) {
// TODO: Implement after() method.
}
}
App/Config/Filters.php
PHP Code:
<?php namespace Config;
use App\Filters\ApiAuth;
use CodeIgniter\Config\BaseConfig;
class Filters extends BaseConfig
{
// Makes reading things below nicer,
// and simpler to change out script that's used.
public $aliases = [
'csrf' => \App\Filters\CSRF::class,
'toolbar' => \App\Filters\DebugToolbar::class,
'honeypot' => \App\Filters\Honeypot::class,
'api-auth' => ApiAuth::class
];
// Always applied before every request
public $globals = [
'before' => [
//'honeypot'
'csrf' => ['except' => [
'api/*'
]],
],
'after' => [
'toolbar',
//'honeypot'
]
];
public $methods = [];
public $filters = [
'api-auth' => ['before' => ['api*']]
];
}
If your app is inside your project then you can do it:
Code:
$.ajax({
url: 'some url',
type: 'POST',
data: {
'<?php echo csrf_token() ?>': '<?php echo csrf_hash() ?>'
},
success: function (data) {
}
})