Login

SubrataJ · 06-04-2022, 07:01 AM

I am trying to get data for ajax datatable using the post method

Code:
'ajax': {

 'url':site_url+'head-office/product/get-ajax-product-list',

 'data': function(data){

 data.csrf_token_name = $("[name='csrf_token_name']").val();

 return {

 data: data

 };

 },

 dataSrc: function(data){

 $("[name='csrf_token_name']").val(data.hash);

 return data.aaData;

 }

 },

the error I am facing is attached below

Code:
{title: "CodeIgniter\Security\Exceptions\SecurityException",…}

code: 403

file: "C:\\xampp\\htdocs\\smaice\\vendor\\codeigniter4\\framework\\system\\Security\\Security.php"

line: 286

message: "The action you requested is not allowed."

title: "CodeIgniter\\Security\\Exceptions\\SecurityException"

trace: [,…]

type: "CodeIgniter\\Security\\Exceptions\\SecurityException"

but token hash is being sent

Code:
data[csrf_token_name]: f57a4b1efb1e46b0fa37c1bc7fe38d46

Please lemme know if this is a bug or if I am doing anything wrong here, I have done lotta work with csrf in 4.19, IDK why it is acting differently here.

Thanks in advance.

iRedds · 06-04-2022, 08:57 AM

You are sending the hash in a nested array, but it must be contained in the top one.

You send [ 'data' => ['csrf_token_name' => '....']]
But expected [ 'data' => [], 'csrf_token_name' => '....']

In any case, you can send the hash in the header.

SubrataJ · 06-04-2022, 09:25 AM

(06-04-2022, 08:57 AM)iRedds Wrote: You are sending the hash in a nested array, but it must be contained in the top one.

You send [ 'data' => ['csrf_token_name' => '....']]
But expected [ 'data' => [], 'csrf_token_name' => '....']

In any case, you can send the hash in the header.

PHP Code:
Array
(
    [data] => Array
        (
            [draw] => 1
            [columns] => Array
                (
                    [0] => Array
                        (
                            [data] => slNo
                            [name] => 
                            [searchable] => true
                            [orderable] => true
                            [search] => Array
                                (
                                    [value] => 
                                    [regex] => false
                                )

                        )

                    [1] => Array
                        (
                            [data] => image
                            [name] => 
                            [searchable] => true
                            [orderable] => false
                            [search] => Array
                                (
                                    [value] => 
                                    [regex] => false
                                )

                        )

                    [2] => Array
                        (
                            [data] => title
                            [name] => 
                            [searchable] => true
                            [orderable] => true
                            [search] => Array
                                (
                                    [value] => 
                                    [regex] => false
                                )

                        )

                    [3] => Array
                        (
                            [data] => category
                            [name] => 
                            [searchable] => true
                            [orderable] => true
                            [search] => Array
                                (
                                    [value] => 
                                    [regex] => false
                                )

                        )

                    [4] => Array
                        (
                            [data] => price
                            [name] => 
                            [searchable] => true
                            [orderable] => true
                            [search] => Array
                                (
                                    [value] => 
                                    [regex] => false
                                )

                        )

                    [5] => Array
                        (
                            [data] => status
                            [name] => 
                            [searchable] => true
                            [orderable] => false
                            [search] => Array
                                (
                                    [value] => 
                                    [regex] => false
                                )

                        )

                    [6] => Array
                        (
                            [data] => action
                            [name] => 
                            [searchable] => true
                            [orderable] => false
                            [search] => Array
                                (
                                    [value] => 
                                    [regex] => false
                                )

                        )

                )

            [order] => Array
                (
                    [0] => Array
                        (
                            [column] => 4
                            [dir] => asc
                        )

                )

            [start] => 0
            [length] => 20
            [search] => Array
                (
                    [value] => 
                    [regex] => false
                )

            [csrf_token_name] => f57a4b1efb1e46b0fa37c1bc7fe38d46
        )

) 

This is how I am receiving it inside the controller, check it, Sir. I have got data in the same way in the previous version 4.19. Thank you.

iRedds · 06-04-2022, 11:04 AM

If you look at the code that extracts the hash of the token, you will see that the hash is not looked up in nested arrays.
So if you didn't get any errors, then your CSRF protection wasn't working.

https://github.com/codeigniter4/CodeIgni...#L321-L338

PHP Code:
private function getPostedToken(RequestInterface $request): ?string
    {
        // Does the token exist in POST, HEADER or optionally php:://input - json data.
        if ($request->hasHeader($this->headerName) && ! empty($request->header($this->headerName)->getValue())) {
            $tokenName = $request->header($this->headerName)->getValue();
        } else {
            $body = (string) $request->getBody();
            $json = json_decode($body);

            if ($body !== '' && ! empty($json) && json_last_error() === JSON_ERROR_NONE) {
                $tokenName = $json->{$this->tokenName} ?? null;
            } else {
                $tokenName = null;
            }
        }

        return $request->getPost($this->tokenName) ?? $tokenName;
    } 

SubrataJ · 06-04-2022, 09:14 PM

(06-04-2022, 09:25 AM)SubrataJ Wrote:
(06-04-2022, 08:57 AM)iRedds Wrote: You are sending the hash in a nested array, but it must be contained in the top one.

You send [ 'data' => ['csrf_token_name' => '....']]
But expected [ 'data' => [], 'csrf_token_name' => '....']

In any case, you can send the hash in the header.

PHP Code:
Array ( [data] => Array ( [draw] => 1 [columns] => Array ( [0] => Array ( [data] => slNo [name] => [searchable] => true [orderable] => true [search] => Array ( [value] => [regex] => false ) ) [1] => Array ( [data] => image [name] => [searchable] => true [orderable] => false [search] => Array ( [value] => [regex] => false ) ) [2] => Array ( [data] => title [name] => [searchable] => true [orderable] => true [search] => Array ( [value] => [regex] => false ) ) [3] => Array ( [data] => category [name] => [searchable] => true [orderable] => true [search] => Array ( [value] => [regex] => false ) ) [4] => Array ( [data] => price [name] => [searchable] => true [orderable] => true [search] => Array ( [value] => [regex] => false ) ) [5] => Array ( [data] => status [name] => [searchable] => true [orderable] => false [search] => Array ( [value] => [regex] => false ) ) [6] => Array ( [data] => action [name] => [searchable] => true [orderable] => false [search] => Array ( [value] => [regex] => false ) ) ) [order] => Array ( [0] => Array ( [column] => 4 [dir] => asc ) ) [start] => 0 [length] => 20 [search] => Array ( [value] => [regex] => false ) [csrf_token_name] => f57a4b1efb1e46b0fa37c1bc7fe38d46 ) )
This is how I am receiving it inside the controller, check it, Sir. I have got data in the same way in the previous version 4.19. Thank you.

Thanks, it works now.