mirror of
https://github.com/flarum/framework.git
synced 2024-11-27 11:03:37 +08:00
Accept CSRF token in request body as well
This commit is contained in:
parent
5d64056e89
commit
7f7484e790
|
@ -39,7 +39,8 @@ class CheckCsrfToken implements Middleware
|
|||
private function tokensMatch(Request $request): bool
|
||||
{
|
||||
$expected = (string) $request->getAttribute('session')->token();
|
||||
$provided = $request->getHeaderLine('X-CSRF-Token'); // TODO: Use form field, if provided
|
||||
$provided = $request->getParsedBody()['csrfToken'] ??
|
||||
$request->getHeaderLine('X-CSRF-Token');
|
||||
|
||||
return hash_equals($expected, $provided);
|
||||
}
|
||||
|
|
|
@ -97,7 +97,7 @@ class RequireCsrfTokenTest extends TestCase
|
|||
/**
|
||||
* @test
|
||||
*/
|
||||
public function cookie_auth_succeeds_with_csrf_token()
|
||||
public function cookie_auth_succeeds_with_csrf_token_in_header()
|
||||
{
|
||||
$initial = $this->server->handle(
|
||||
(new ServerRequest([], [], '/', 'GET'))
|
||||
|
@ -155,6 +155,65 @@ class RequireCsrfTokenTest extends TestCase
|
|||
);
|
||||
}
|
||||
|
||||
/**
|
||||
* @test
|
||||
*/
|
||||
public function cookie_auth_succeeds_with_csrf_token_in_body()
|
||||
{
|
||||
$initial = $this->server->handle(
|
||||
(new ServerRequest([], [], '/', 'GET'))
|
||||
);
|
||||
|
||||
$token = $initial->getHeaderLine('X-CSRF-Token');
|
||||
$cookies = array_reduce(
|
||||
$initial->getHeader('Set-Cookie'),
|
||||
function ($memo, $setCookieString) {
|
||||
$setCookie = SetCookie::fromSetCookieString($setCookieString);
|
||||
$memo[$setCookie->getName()] = $setCookie->getValue();
|
||||
return $memo;
|
||||
},
|
||||
[]
|
||||
);
|
||||
|
||||
$auth = $this->server->handle(
|
||||
(new ServerRequest([], [], '/login', 'POST'))
|
||||
->withBody(new CallbackStream(function () use ($token) {
|
||||
return '{"identification": "admin", "password": "password", "csrfToken": "'.$token.'"}';
|
||||
}))
|
||||
->withCookieParams($cookies)
|
||||
->withHeader('Content-Type', 'application/json')
|
||||
);
|
||||
|
||||
$token = $auth->getHeaderLine('X-CSRF-Token');
|
||||
$cookies = array_reduce(
|
||||
$auth->getHeader('Set-Cookie'),
|
||||
function ($memo, $setCookieString) {
|
||||
$setCookie = SetCookie::fromSetCookieString($setCookieString);
|
||||
$memo[$setCookie->getName()] = $setCookie->getValue();
|
||||
return $memo;
|
||||
},
|
||||
[]
|
||||
);
|
||||
|
||||
$response = $this->server->handle(
|
||||
(new ServerRequest([], [], '/api/settings', 'POST'))
|
||||
->withBody(new CallbackStream(function () use ($token) {
|
||||
return '{"mail_driver": "log", "csrfToken": "'.$token.'"}';
|
||||
}))
|
||||
->withCookieParams($cookies)
|
||||
->withHeader('Content-Type', 'application/json')
|
||||
);
|
||||
|
||||
// Successful response?
|
||||
$this->assertEquals(204, $response->getStatusCode());
|
||||
|
||||
// Was the setting actually changed in the database?
|
||||
$this->assertEquals(
|
||||
'log',
|
||||
$this->database()->table('settings')->where('key', 'mail_driver')->first()->value
|
||||
);
|
||||
}
|
||||
|
||||
/**
|
||||
* @test
|
||||
*/
|
||||
|
|
Loading…
Reference in New Issue
Block a user