diff --git a/src/MicroweberPackages/App/Http/Middleware/VerifyCsrfToken.php b/src/MicroweberPackages/App/Http/Middleware/VerifyCsrfToken.php index b836120cdf7..54e53f6fd01 100644 --- a/src/MicroweberPackages/App/Http/Middleware/VerifyCsrfToken.php +++ b/src/MicroweberPackages/App/Http/Middleware/VerifyCsrfToken.php @@ -26,6 +26,63 @@ protected function addCookieToResponse($request, $response) return parent::addCookieToResponse($request, $response); } + + /** + * Handle an incoming request. + * + * @param \Illuminate\Http\Request $request + * @param \Closure $next + * @return mixed + * + * @throws \Illuminate\Session\TokenMismatchException + */ + public function handle($request, \Closure $next) + { + + + $token = $this->getTokenFromRequest($request); + dd($token); +exit; + + if ( + $this->isReading($request) || + $this->runningUnitTests() || + $this->inExceptArray($request) || + $this->tokensMatch($request) + ) { + return tap($next($request), function ($response) use ($request) { + if ($this->shouldAddXsrfTokenCookie()) { + $this->addCookieToResponse($request, $response); + } + }); + } + + + throw new TokenMismatchException('CSRF token mismatch.'); + } + + + + /** + * Determine if the session and input CSRF tokens match. + * + * @param \Illuminate\Http\Request $request + * @return bool + */ + protected function tokensMatch($request) + { + + $token = $this->getTokenFromRequest($request); + + + return is_string($request->session()->token()) && + is_string($token) && + hash_equals($request->session()->token(), $token); + } + + + + /** * Get the CSRF token from the request. * @@ -45,6 +102,7 @@ protected function getTokenFromRequest($request) } else { $token = CookieValuePrefix::remove($this->encrypter->decrypt( $request->header('X-CSRF-TOKEN'), static::serialized())); } + return $token; } /** diff --git a/src/MicroweberPackages/Module/routes/web.php b/src/MicroweberPackages/Module/routes/web.php index fc33c5c65fd..eabdb9645dc 100644 --- a/src/MicroweberPackages/Module/routes/web.php +++ b/src/MicroweberPackages/Module/routes/web.php @@ -9,11 +9,11 @@ Route::group(['namespace' => '\MicroweberPackages\Module\Http\Controllers'], function () { Route::post('/plupload', 'ModuleController@plupload')->middleware([ - \MicroweberPackages\App\Http\Middleware\SameSiteRefererMiddleware::class, - \MicroweberPackages\App\Http\Middleware\IsAjaxMiddleware::class, - \MicroweberPackages\App\Http\Middleware\VerifyCsrfToken::class + // \MicroweberPackages\App\Http\Middleware\VerifyCsrfToken::class, + \MicroweberPackages\App\Http\Middleware\SameSiteRefererMiddleware::class, + \MicroweberPackages\App\Http\Middleware\IsAjaxMiddleware::class ]); - // Route::any('plupload/{all}', array('as' => 'plupload', 'uses' => 'ModuleController@plupload'))->where('all', '.*'); + // Route::any('plupload/{all}', array('as' => 'plupload', 'uses' => 'ModuleController@plupload'))->where('all', '.*'); //Route::any('/module/', 'ModuleController@index'); //Route::any('module/{all}', array('as' => 'module', 'uses' => 'ModuleController@index'))->where('all', '.*'); diff --git a/src/MicroweberPackages/Template/Adapters/RenderHelpers/CsrfTokenRequestInlineJsScriptGenerator.js b/src/MicroweberPackages/Template/Adapters/RenderHelpers/CsrfTokenRequestInlineJsScriptGenerator.js index fa45f58fb34..339770967e5 100644 --- a/src/MicroweberPackages/Template/Adapters/RenderHelpers/CsrfTokenRequestInlineJsScriptGenerator.js +++ b/src/MicroweberPackages/Template/Adapters/RenderHelpers/CsrfTokenRequestInlineJsScriptGenerator.js @@ -14,19 +14,10 @@ $(document).ready(function () { - if (tokenFromCookie === null) { - var csrf_from_local_storage_data = mw.cookie.get("csrf-token-data"); - if (csrf_from_local_storage_data) { - csrf_from_local_storage_data = JSON.parse(csrf_from_local_storage_data); - - if (csrf_from_local_storage_data && csrf_from_local_storage_data.value && (new Date()).getTime() < csrf_from_local_storage_data.expiry) { - _csrf_from_local_storage = csrf_from_local_storage_data.value - } - } - } else { + if (tokenFromCookie) { _csrf_from_local_storage = tokenFromCookie; - } + } if (_csrf_from_local_storage) { $('meta[name="csrf-token"]').attr('content', _csrf_from_local_storage); @@ -40,11 +31,8 @@ $(document).ready(function () { setTimeout(function () { $.post(route('csrf'), function (data) { - $.ajaxSetup({ - headers: { - 'X-CSRF-TOKEN': $('meta[name="csrf-token"]').attr('content') - } - }); + $('meta[name="csrf-token"]').attr('content', data.token); + }); }, 1337); } diff --git a/userfiles/modules/microweber/api/uploader.js b/userfiles/modules/microweber/api/uploader.js index d2355db006d..7d99774951e 100644 --- a/userfiles/modules/microweber/api/uploader.js +++ b/userfiles/modules/microweber/api/uploader.js @@ -360,6 +360,7 @@ } } + var xhrOptions = { url: this.getUrl(), type: 'post', @@ -390,6 +391,9 @@ dataType: 'json', xhr: function () { var xhr = new XMLHttpRequest(); + + + xhr.upload.addEventListener('progress', function (event) { if (event.lengthComputable) { var percent = (event.loaded / event.total) * 100; @@ -399,9 +403,34 @@ $(scope).trigger('progressNative', [percent, event]); } }); + + + return xhr; } }; + var theToken = null; + var tokenFromCookie = mw.cookie.get("XSRF-TOKEN"); + if(typeof tokenFromCookie !== 'undefined') { + theToken = tokenFromCookie; + } + if(typeof tokenFromCookie === 'undefined') { + // + var token=mw.top().$('meta[name="csrf-token"]').attr('content'); + if(token){ + theToken = token; + } + + //xhrOptions.xhr.setRequestHeader('X-CSRF-TOKEN',token ); + // alert(mw.top().$('meta[name="csrf-token"]').attr('content')) + } + if (theToken) { + $.ajaxSetup({ + headers: { + 'X-CSRF-TOKEN': theToken + } + }); + } return mw.jqxhr(xhrOptions); };