From e49d79227ef905b3fc17959dab5b2d5ec4deadfc Mon Sep 17 00:00:00 2001
From: Peter Ivanov <peter@microweber.com>
Date: Mon, 27 Jun 2022 22:49:59 +0300
Subject: [PATCH] update

---
 .../App/Http/Middleware/VerifyCsrfToken.php   | 96 ++++++-------------
 src/MicroweberPackages/App/routes/web.php     | 14 ++-
 src/MicroweberPackages/Module/routes/web.php  |  6 +-
 ...CsrfTokenRequestInlineJsScriptGenerator.js | 38 ++++----
 userfiles/modules/microweber/api/uploader.js  |  7 +-
 5 files changed, 64 insertions(+), 97 deletions(-)

diff --git a/src/MicroweberPackages/App/Http/Middleware/VerifyCsrfToken.php b/src/MicroweberPackages/App/Http/Middleware/VerifyCsrfToken.php
index 54e53f6fd01..adf92395a0d 100644
--- a/src/MicroweberPackages/App/Http/Middleware/VerifyCsrfToken.php
+++ b/src/MicroweberPackages/App/Http/Middleware/VerifyCsrfToken.php
@@ -12,20 +12,16 @@
 class VerifyCsrfToken extends Middleware
 {
     /**
-     * Add the CSRF token to the response cookies.
+     * The URIs that should be excluded from CSRF verification.
      *
-     * @param  \Illuminate\Http\Request  $request
-     * @param  \Symfony\Component\HttpFoundation\Response  $response
-     * @return \Symfony\Component\HttpFoundation\Response
+     * @var array
      */
-    protected function addCookieToResponse($request, $response)
-    {
-        if(!is_object($response)){
-            return;
-        }
+    protected $except = [
+        //
+    ];
+
+
 
-        return parent::addCookieToResponse($request, $response);
-    }
 
     /**
      * Handle an incoming request.
@@ -39,78 +35,40 @@ protected function addCookieToResponse($request, $response)
     public function handle($request, \Closure $next)
     {
 
-
-        $token = $this->getTokenFromRequest($request);
-        dd($token);
-exit;
-
-        if (
-            $this->isReading($request) ||
-            $this->runningUnitTests() ||
-            $this->inExceptArray($request) ||
-            $this->tokensMatch($request)
-        ) {
-            return tap($next($request), function ($response) use ($request) {
-                if ($this->shouldAddXsrfTokenCookie()) {
-                    $this->addCookieToResponse($request, $response);
-                }
-            });
+        try {
+            return parent::handle($request, $next);
+        }  catch (TokenMismatchException $e) {
+             return abort(403, 'Unauthorized action. The CSRF token is invalid.');
+         } catch (DecryptException $e) {
+           return abort(403, 'Unauthorized action. The CSRF token payload is invalid or not encrypted.');
         }
 
-
-        throw new TokenMismatchException('CSRF token mismatch.');
-    }
+     }
 
 
 
     /**
-     * Determine if the session and input CSRF tokens match.
+     * Add the CSRF token to the response cookies.
      *
-     * @param  \Illuminate\Http\Request  $request
-     * @return bool
+     * @param \Illuminate\Http\Request $request
+     * @param \Symfony\Component\HttpFoundation\Response $response
+     * @return \Symfony\Component\HttpFoundation\Response
      */
-    protected function tokensMatch($request)
+    protected function addCookieToResponse($request, $response)
     {
+        if (!is_object($response)) {
+            return;
+        }
 
-        $token = $this->getTokenFromRequest($request);
-
-
-        return is_string($request->session()->token()) &&
-            is_string($token) &&
-            hash_equals($request->session()->token(), $token);
+        return parent::addCookieToResponse($request, $response);
     }
 
 
+    public function forceAddAddXsrfTokenCookie($request, $response)
+    {
+        return $this->addCookieToResponse($request, $response);
+    }
 
 
-    /**
-     * Get the CSRF token from the request.
-     *
-     * @param  \Illuminate\Http\Request  $request
-     * @return string
-     */
-    protected function getTokenFromRequest($request)
-    {
-        $token = $request->input('_token') ?: $request->header('X-CSRF-TOKEN');
-
-        if (! $token && $header = $request->header('X-XSRF-TOKEN')) {
-            try {
-                $token = CookieValuePrefix::remove($this->encrypter->decrypt($header, static::serialized()));
-            } catch (DecryptException $e) {
-                $token = '';
-            }
-        } else {
-            $token = CookieValuePrefix::remove($this->encrypter->decrypt( $request->header('X-CSRF-TOKEN'), static::serialized()));
-        }
 
-        return $token;
-    }
-    /**
-     * The URIs that should be excluded from CSRF verification.
-     *
-     * @var array
-     */
-    protected $except = [
-        //
-    ];
 }
diff --git a/src/MicroweberPackages/App/routes/web.php b/src/MicroweberPackages/App/routes/web.php
index d1bda58accf..747be81e3fb 100644
--- a/src/MicroweberPackages/App/routes/web.php
+++ b/src/MicroweberPackages/App/routes/web.php
@@ -125,6 +125,7 @@ function migrateLanguages()
 });
 */
 
+
 Route::group([
     //'middleware' => \MicroweberPackages\App\Http\Middleware\SessionlessMiddleware::class,
     'namespace' => '\MicroweberPackages\App\Http\Controllers'
@@ -155,10 +156,19 @@ function migrateLanguages()
         event_trigger('mw.csrf.ajax_request');
     }
     $headers = ['Cache-Control' => 'no-cache, no-store, must-revalidate'];
-    return response()->json(['token' => csrf_token()], 200, $headers);
+    $response =  response()->json(
+        ['time' =>time()], 200, $headers
+    );
+    $request = request();
+    $middleware = app()->make(\MicroweberPackages\App\Http\Middleware\VerifyCsrfToken::class);
+    return $middleware->forceAddAddXsrfTokenCookie($request,$response);
+
+
 })->middleware([
     \MicroweberPackages\App\Http\Middleware\SameSiteRefererMiddleware::class,
-    \MicroweberPackages\App\Http\Middleware\IsAjaxMiddleware::class
+    \MicroweberPackages\App\Http\Middleware\IsAjaxMiddleware::class,
+    \MicroweberPackages\App\Http\Middleware\EncryptCookies::class,
+
 ])->name('csrf');
 
 
diff --git a/src/MicroweberPackages/Module/routes/web.php b/src/MicroweberPackages/Module/routes/web.php
index eabdb9645dc..bae67344377 100644
--- a/src/MicroweberPackages/Module/routes/web.php
+++ b/src/MicroweberPackages/Module/routes/web.php
@@ -9,13 +9,9 @@
 Route::group(['namespace' => '\MicroweberPackages\Module\Http\Controllers'], function () {
 
     Route::post('/plupload', 'ModuleController@plupload')->middleware([
-       // \MicroweberPackages\App\Http\Middleware\VerifyCsrfToken::class,
+        \MicroweberPackages\App\Http\Middleware\VerifyCsrfToken::class,
         \MicroweberPackages\App\Http\Middleware\SameSiteRefererMiddleware::class,
         \MicroweberPackages\App\Http\Middleware\IsAjaxMiddleware::class
     ]);
-    // Route::any('plupload/{all}', array('as' => 'plupload', 'uses' => 'ModuleController@plupload'))->where('all', '.*');
-
-    //Route::any('/module/', 'ModuleController@index');
-    //Route::any('module/{all}', array('as' => 'module', 'uses' => 'ModuleController@index'))->where('all', '.*');
 
 });
diff --git a/src/MicroweberPackages/Template/Adapters/RenderHelpers/CsrfTokenRequestInlineJsScriptGenerator.js b/src/MicroweberPackages/Template/Adapters/RenderHelpers/CsrfTokenRequestInlineJsScriptGenerator.js
index 339770967e5..aaeb48a2d2b 100644
--- a/src/MicroweberPackages/Template/Adapters/RenderHelpers/CsrfTokenRequestInlineJsScriptGenerator.js
+++ b/src/MicroweberPackages/Template/Adapters/RenderHelpers/CsrfTokenRequestInlineJsScriptGenerator.js
@@ -4,37 +4,41 @@ $(document).ready(function () {
         return;
     }
 
-
     if ($('meta[name="csrf-token"]').length === 0) {
         $("head").append("<meta name=csrf-token />");
     }
-    var _csrf_from_local_storage = null;
-
-    var tokenFromCookie = mw.cookie.get("XSRF-TOKEN");
 
+    var _csrf_from_cookie = null;
 
+    var tokenFromCookie = mw.cookie.get("XSRF-TOKEN");
 
     if (tokenFromCookie) {
-        _csrf_from_local_storage = tokenFromCookie;
-
+        _csrf_from_cookie = tokenFromCookie;
     }
 
-    if (_csrf_from_local_storage) {
-        $('meta[name="csrf-token"]').attr('content', _csrf_from_local_storage);
-        $.ajaxSetup({
-            headers: {
-                'X-CSRF-TOKEN': $('meta[name="csrf-token"]').attr('content')
-            }
-        });
-        return;
-    } else {
-
+    if (!_csrf_from_cookie) {
         setTimeout(function () {
             $.post(route('csrf'), function (data) {
-                $('meta[name="csrf-token"]').attr('content', data.token);
+                var _csrf_from_local_storage = mw.cookie.get("XSRF-TOKEN");
+                if (_csrf_from_local_storage) {
+                    $('meta[name="csrf-token"]').attr('content',tokenFromCookie);
+                }
+                 $.ajaxSetup({
+                    headers: {
+                        'X-CSRF-TOKEN': $('meta[name="csrf-token"]').attr('content')
+                    }
+                });
 
             });
         }, 1337);
+    } else {
+        $('meta[name="csrf-token"]').attr('content', _csrf_from_cookie);
+        $.ajaxSetup({
+            headers: {
+                'X-CSRF-TOKEN': $('meta[name="csrf-token"]').attr('content')
+            }
+        });
     }
+
 });
 
diff --git a/userfiles/modules/microweber/api/uploader.js b/userfiles/modules/microweber/api/uploader.js
index 7d99774951e..f65685ac196 100644
--- a/userfiles/modules/microweber/api/uploader.js
+++ b/userfiles/modules/microweber/api/uploader.js
@@ -414,17 +414,16 @@
             if(typeof tokenFromCookie !== 'undefined') {
                 theToken = tokenFromCookie;
             }
+
             if(typeof tokenFromCookie === 'undefined') {
-                //
                var token=mw.top().$('meta[name="csrf-token"]').attr('content');
                if(token){
                      theToken = token;
                }
-
-                //xhrOptions.xhr.setRequestHeader('X-CSRF-TOKEN',token );
-                //   alert(mw.top().$('meta[name="csrf-token"]').attr('content'))
             }
+
             if (theToken) {
+
                 $.ajaxSetup({
                     headers: {
                         'X-CSRF-TOKEN': theToken