github-mirror/framework
2
0
Fork 0
mirror of https://github.com/flarum/framework.git synced 2024-11-30 13:36:10 +08:00
Code Issues Actions 26 Packages Projects Releases Wiki Activity

Bypass CSRF token check when using access tokens

Browse Source 
Fixes #1828.
This commit is contained in:
Franz Liedke 2019-08-01 22:53:31 +02:00
parent 51b33c8cab
commit 2fc2cd5863
2 changed files with 31 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
framework/core/src/Http/Middleware/AuthenticateWithHeader.php
View File

@ -41,7 +41,6 @@ class AuthenticateWithHeader implements Middleware
$request = $request->withAttribute('apiKey', $key); $request = $request->withAttribute('apiKey', $key);
$request = $request->withAttribute('bypassFloodgate', true); $request = $request->withAttribute('bypassFloodgate', true);
$request = $request->withAttribute('bypassCsrfToken', true);
} elseif ($token = AccessToken::find($id)) { } elseif ($token = AccessToken::find($id)) {
$token->touch(); $token->touch();
@ -50,6 +49,7 @@ class AuthenticateWithHeader implements Middleware
if (isset($actor)) { if (isset($actor)) {
$request = $request->withAttribute('actor', $actor); $request = $request->withAttribute('actor', $actor);
$request = $request->withAttribute('bypassCsrfToken', true);
$request = $request->withoutAttribute('session'); $request = $request->withoutAttribute('session');
} }
} }

30
framework/core/tests/integration/api/csrf_protection/RequireCsrfTokenTest.php
View File

@ -190,4 +190,34 @@ class RequireCsrfTokenTest extends TestCase
$this->database()->table('settings')->where('key', 'csrf_test')->first()->value $this->database()->table('settings')->where('key', 'csrf_test')->first()->value
); );
} }
/**
* @test
*/
public function access_token_does_not_need_csrf_token()
{
$this->database()->table('access_tokens')->insert(
['token' => 'myaccesstoken', 'user_id' => 1]
);
$response = $this->send(
$this->request(
'POST', '/api/settings',
[
'json' => ['csrf_test' => 2],
]
)->withHeader('Authorization', 'Token myaccesstoken')
);
// Successful response?
$this->assertEquals(204, $response->getStatusCode());
// Was the setting actually changed in the database?
$this->assertEquals(
2,
$this->database()->table('settings')->where('key', 'csrf_test')->first()->value
);
$this->database()->table('access_tokens')->where('token', 'myaccesstoken')->delete();
}
} }