Welcome Guest, Not a member yet? Register   Sign In
CSRF via http header?
#1

I looked through the docs and it didn't seem like it was supported, but as time has moved on many of us use front end frameworks like Vue or Angular. Since the front end javascript frameworks are handling our forms, it becomes a little tedious to attach the csrf token to every form we're going to upload.

Will CI4 also accept a csrf token being passed in via the http header on post? At least in the library that I use (Axios), it would be easy to setup every form post to include the csrf token from the beginning via the header. As far as I know, you can't add them as post data by default.
Codeigniter is simply one of the tools you need to learn to be a successful developer. Always add more tools to your coding arsenal!
Reply
#2

Check this stackoverflow link https://stackoverflow.com/questions/4552...e-template
Reply
#3

(This post was last modified: 09-30-2018, 11:48 PM by unodepiera.)

(09-30-2018, 10:56 PM)albertleao Wrote: I looked through the docs and it didn't seem like it was supported, but as time has moved on many of us use front end frameworks like Vue or Angular. Since the front end javascript frameworks are handling our forms, it becomes a little tedious to attach the csrf token to every form we're going to upload.

Will CI4 also accept a csrf token being passed in via the http header on post? At least in the library that I use (Axios), it would be easy to setup every form post to include the csrf token from the beginning via the header. As far as I know, you can't add them as post data by default.

I your Angular, React or Vue app is not inside your project you not need send a CSRF token via HTTP Header, you can send Authorization Header combined with some filter before the request has been processed like this:

App/Filters/ApiAuth.php filter
PHP Code:
<?php
namespace App\Filters;

use 
CodeIgniter\Filters\FilterInterface;
use 
CodeIgniter\HTTP\RequestInterface;
use 
CodeIgniter\HTTP\ResponseInterface;
use 
CodeIgniter\Services;

class 
ApiAuth implements FilterInterface {

    
/**
     * Do whatever processing this filter needs to do.
     * By default it should not return anything during
     * normal execution. However, when an abnormal state
     * is found, it should return an instance of
     * CodeIgniter\HTTP\Response. If it does, script
     * execution will end and that Response will be
     * sent back to the client, allowing for error pages,
     * redirects, etc.
     *
     * @param \CodeIgniter\HTTP\RequestInterface $request
     *
     * @return mixed
     */
    
public function beforeRequestInterface $request ) {
        if ( ! 
$request->getHeader('Authorization') || $request->getHeaderLine('Authorization') !== 'SUPERTOKEN') {
            
$response Services::response();
            return 
$response->setJSON(['res' => 'Unauthorized']);
        }
    }

    
/**
     * Allows After filters to inspect and modify the response
     * object as needed. This method does not allow any way
     * to stop execution of other after filters, short of
     * throwing an Exception or Error.
     *
     * @param \CodeIgniter\HTTP\RequestInterface $request
     * @param \CodeIgniter\HTTP\ResponseInterface $response
     *
     * @return mixed
     */
    
public function afterRequestInterface $requestResponseInterface $response ) {
        
// TODO: Implement after() method.
    
}


App/Config/Filters.php
PHP Code:
<?php namespace Config;

use 
App\Filters\ApiAuth;
use 
CodeIgniter\Config\BaseConfig;

class 
Filters extends BaseConfig
{
    
// Makes reading things below nicer,
    // and simpler to change out script that's used.
    
public $aliases = [
        
'csrf'       => \App\Filters\CSRF::class,
        
'toolbar' => \App\Filters\DebugToolbar::class,
        
'honeypot' => \App\Filters\Honeypot::class,
        
'api-auth' => ApiAuth::class
    ];

    
// Always applied before every request
    
public $globals = [
        
'before' => [
            
//'honeypot'
            
'csrf' => ['except' => [
                
'api/*'
            
]],
        ],
        
'after'  => [
            
'toolbar',
            
//'honeypot'
        
]
    ];

    public 
$methods = [];

    public 
$filters = [
        
'api-auth' => ['before' => ['api*']]
    ];


If your app is inside your project then you can do it:

Code:
$.ajax({
    url: 'some url',
    type: 'POST',
    data: {
        '<?php echo csrf_token() ?>': '<?php echo csrf_hash() ?>'
    },
    success: function (data) {
  
    }
})
Reply
#4

but the idea is good - we should support header-csrf tokens for better compatibility. its used by many front end frameworks
Reply
#5

(This post was last modified: 10-01-2018, 03:08 AM by unodepiera.)

(10-01-2018, 02:55 AM)puschie Wrote: but the idea is good - we should support header-csrf tokens for better compatibility. its used by many front end frameworks

I have been working with Angular, Vuejs and React for a long time and I always manage authorization with tokens using Bearer, usually with JWT, never with CSRF, but it is my experience. The reason is that it is a standard applicable to any project and does not depend on the Framework.
Reply




Theme © iAndrew 2016 - Forum software by © MyBB