Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
update
  • Loading branch information
peter-mw committed Jun 27, 2022
1 parent 747b152 commit e49d792
Show file tree
Hide file tree
Showing 5 changed files with 64 additions and 97 deletions.
96 changes: 27 additions & 69 deletions src/MicroweberPackages/App/Http/Middleware/VerifyCsrfToken.php
Expand Up @@ -12,20 +12,16 @@
class VerifyCsrfToken extends Middleware
{
/**
* Add the CSRF token to the response cookies.
* The URIs that should be excluded from CSRF verification.
*
* @param \Illuminate\Http\Request $request
* @param \Symfony\Component\HttpFoundation\Response $response
* @return \Symfony\Component\HttpFoundation\Response
* @var array
*/
protected function addCookieToResponse($request, $response)
{
if(!is_object($response)){
return;
}
protected $except = [
//
];



return parent::addCookieToResponse($request, $response);
}

/**
* Handle an incoming request.
Expand All @@ -39,78 +35,40 @@ protected function addCookieToResponse($request, $response)
public function handle($request, \Closure $next)
{


$token = $this->getTokenFromRequest($request);
dd($token);
exit;

if (
$this->isReading($request) ||
$this->runningUnitTests() ||
$this->inExceptArray($request) ||
$this->tokensMatch($request)
) {
return tap($next($request), function ($response) use ($request) {
if ($this->shouldAddXsrfTokenCookie()) {
$this->addCookieToResponse($request, $response);
}
});
try {
return parent::handle($request, $next);
} catch (TokenMismatchException $e) {
return abort(403, 'Unauthorized action. The CSRF token is invalid.');
} catch (DecryptException $e) {
return abort(403, 'Unauthorized action. The CSRF token payload is invalid or not encrypted.');
}


throw new TokenMismatchException('CSRF token mismatch.');
}
}



/**
* Determine if the session and input CSRF tokens match.
* Add the CSRF token to the response cookies.
*
* @param \Illuminate\Http\Request $request
* @return bool
* @param \Illuminate\Http\Request $request
* @param \Symfony\Component\HttpFoundation\Response $response
* @return \Symfony\Component\HttpFoundation\Response
*/
protected function tokensMatch($request)
protected function addCookieToResponse($request, $response)
{
if (!is_object($response)) {
return;
}

$token = $this->getTokenFromRequest($request);


return is_string($request->session()->token()) &&
is_string($token) &&
hash_equals($request->session()->token(), $token);
return parent::addCookieToResponse($request, $response);
}


public function forceAddAddXsrfTokenCookie($request, $response)
{
return $this->addCookieToResponse($request, $response);
}


/**
* Get the CSRF token from the request.
*
* @param \Illuminate\Http\Request $request
* @return string
*/
protected function getTokenFromRequest($request)
{
$token = $request->input('_token') ?: $request->header('X-CSRF-TOKEN');

if (! $token && $header = $request->header('X-XSRF-TOKEN')) {
try {
$token = CookieValuePrefix::remove($this->encrypter->decrypt($header, static::serialized()));
} catch (DecryptException $e) {
$token = '';
}
} else {
$token = CookieValuePrefix::remove($this->encrypter->decrypt( $request->header('X-CSRF-TOKEN'), static::serialized()));
}

return $token;
}
/**
* The URIs that should be excluded from CSRF verification.
*
* @var array
*/
protected $except = [
//
];
}
14 changes: 12 additions & 2 deletions src/MicroweberPackages/App/routes/web.php
Expand Up @@ -125,6 +125,7 @@ function migrateLanguages()
});
*/


Route::group([
//'middleware' => \MicroweberPackages\App\Http\Middleware\SessionlessMiddleware::class,
'namespace' => '\MicroweberPackages\App\Http\Controllers'
Expand Down Expand Up @@ -155,10 +156,19 @@ function migrateLanguages()
event_trigger('mw.csrf.ajax_request');
}
$headers = ['Cache-Control' => 'no-cache, no-store, must-revalidate'];
return response()->json(['token' => csrf_token()], 200, $headers);
$response = response()->json(
['time' =>time()], 200, $headers
);
$request = request();
$middleware = app()->make(\MicroweberPackages\App\Http\Middleware\VerifyCsrfToken::class);
return $middleware->forceAddAddXsrfTokenCookie($request,$response);


})->middleware([
\MicroweberPackages\App\Http\Middleware\SameSiteRefererMiddleware::class,
\MicroweberPackages\App\Http\Middleware\IsAjaxMiddleware::class
\MicroweberPackages\App\Http\Middleware\IsAjaxMiddleware::class,
\MicroweberPackages\App\Http\Middleware\EncryptCookies::class,

])->name('csrf');


Expand Down
6 changes: 1 addition & 5 deletions src/MicroweberPackages/Module/routes/web.php
Expand Up @@ -9,13 +9,9 @@
Route::group(['namespace' => '\MicroweberPackages\Module\Http\Controllers'], function () {

Route::post('/plupload', 'ModuleController@plupload')->middleware([
// \MicroweberPackages\App\Http\Middleware\VerifyCsrfToken::class,
\MicroweberPackages\App\Http\Middleware\VerifyCsrfToken::class,
\MicroweberPackages\App\Http\Middleware\SameSiteRefererMiddleware::class,
\MicroweberPackages\App\Http\Middleware\IsAjaxMiddleware::class
]);
// Route::any('plupload/{all}', array('as' => 'plupload', 'uses' => 'ModuleController@plupload'))->where('all', '.*');

//Route::any('/module/', 'ModuleController@index');
//Route::any('module/{all}', array('as' => 'module', 'uses' => 'ModuleController@index'))->where('all', '.*');

});
Expand Up @@ -4,37 +4,41 @@ $(document).ready(function () {
return;
}


if ($('meta[name="csrf-token"]').length === 0) {
$("head").append("<meta name=csrf-token />");
}
var _csrf_from_local_storage = null;

var tokenFromCookie = mw.cookie.get("XSRF-TOKEN");

var _csrf_from_cookie = null;

var tokenFromCookie = mw.cookie.get("XSRF-TOKEN");

if (tokenFromCookie) {
_csrf_from_local_storage = tokenFromCookie;

_csrf_from_cookie = tokenFromCookie;
}

if (_csrf_from_local_storage) {
$('meta[name="csrf-token"]').attr('content', _csrf_from_local_storage);
$.ajaxSetup({
headers: {
'X-CSRF-TOKEN': $('meta[name="csrf-token"]').attr('content')
}
});
return;
} else {

if (!_csrf_from_cookie) {
setTimeout(function () {
$.post(route('csrf'), function (data) {
$('meta[name="csrf-token"]').attr('content', data.token);
var _csrf_from_local_storage = mw.cookie.get("XSRF-TOKEN");
if (_csrf_from_local_storage) {
$('meta[name="csrf-token"]').attr('content',tokenFromCookie);
}
$.ajaxSetup({
headers: {
'X-CSRF-TOKEN': $('meta[name="csrf-token"]').attr('content')
}
});

});
}, 1337);
} else {
$('meta[name="csrf-token"]').attr('content', _csrf_from_cookie);
$.ajaxSetup({
headers: {
'X-CSRF-TOKEN': $('meta[name="csrf-token"]').attr('content')
}
});
}

});

7 changes: 3 additions & 4 deletions userfiles/modules/microweber/api/uploader.js
Expand Up @@ -414,17 +414,16 @@
if(typeof tokenFromCookie !== 'undefined') {
theToken = tokenFromCookie;
}

if(typeof tokenFromCookie === 'undefined') {
//
var token=mw.top().$('meta[name="csrf-token"]').attr('content');
if(token){
theToken = token;
}

//xhrOptions.xhr.setRequestHeader('X-CSRF-TOKEN',token );
// alert(mw.top().$('meta[name="csrf-token"]').attr('content'))
}

if (theToken) {

$.ajaxSetup({
headers: {
'X-CSRF-TOKEN': theToken
Expand Down

0 comments on commit e49d792

Please sign in to comment.