github-mirror/framework
2
0
Fork 0
mirror of https://github.com/flarum/framework.git synced 2025-02-02 11:59:47 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

Remove deprecated CSRF wildcard path match

Browse Source
This commit is contained in:
Alexander Skvortsov 2021-01-19 19:09:06 -05:00
parent 4561f56fb9
commit a10da427ff
3 changed files with 1 additions and 65 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
src/Extend/Csrf.php
View File

@ -28,18 +28,6 @@ class Csrf implements ExtenderInterface
return $this; return $this;
} }
/**
* Exempt a path from csrf checks. Wildcards are supported.
*
* @deprecated beta 15, remove beta 16. Exempt routes should be used instead.
*/
public function exemptPath(string $path)
{
$this->csrfExemptRoutes[] = $path;
return $this;
}
public function extend(Container $container, Extension $extension = null) public function extend(Container $container, Extension $extension = null)
{ {
$container->extend('flarum.http.csrfExemptPaths', function ($existingExemptPaths) { $container->extend('flarum.http.csrfExemptPaths', function ($existingExemptPaths) {

6
src/Http/Middleware/CheckCsrfToken.php
View File

@ -26,12 +26,8 @@ class CheckCsrfToken implements Middleware
public function process(Request $request, Handler $handler): Response public function process(Request $request, Handler $handler): Response
{ {
$path = $request->getAttribute('originalUri')->getPath();
foreach ($this->exemptRoutes as $exemptRoute) { foreach ($this->exemptRoutes as $exemptRoute) {
/** if ($exemptRoute === $request->getAttribute('routeName')) {
* @deprecated path match should be removed in beta 16, only route name match should be supported.
*/
if ($exemptRoute === $request->getAttribute('routeName') || fnmatch($exemptRoute, $path)) {
return $handler->handle($request); return $handler->handle($request);
} }
} }

48
tests/integration/extenders/CsrfTest.php
View File

@ -41,38 +41,8 @@ class CsrfTest extends TestCase
/** /**
* @test * @test
* @deprecated
*/ */
public function create_user_post_doesnt_need_csrf_token_if_whitelisted() public function create_user_post_doesnt_need_csrf_token_if_whitelisted()
{
$this->extend(
(new Extend\Csrf)
->exemptPath('/api/users')
);
$response = $this->send(
$this->request('POST', '/api/users', [
'json' => [
'data' => [
'attributes' => $this->testUser
]
],
])
);
$this->assertEquals(201, $response->getStatusCode());
$user = User::where('username', $this->testUser['username'])->firstOrFail();
$this->assertEquals(0, $user->is_email_confirmed);
$this->assertEquals($this->testUser['username'], $user->username);
$this->assertEquals($this->testUser['email'], $user->email);
}
/**
* @test
*/
public function create_user_post_doesnt_need_csrf_token_if_whitelisted_via_routename()
{ {
$this->extend( $this->extend(
(new Extend\Csrf) (new Extend\Csrf)
@ -97,22 +67,4 @@ class CsrfTest extends TestCase
$this->assertEquals($this->testUser['username'], $user->username); $this->assertEquals($this->testUser['username'], $user->username);
$this->assertEquals($this->testUser['email'], $user->email); $this->assertEquals($this->testUser['email'], $user->email);
} }
/**
* @test
* @deprecated
*/
public function csrf_matches_wildcards_properly()
{
$this->extend(
(new Extend\Csrf)
->exemptPath('/api/fake/*/up')
);
$response = $this->send(
$this->request('POST', '/api/fake/route/i/made/up')
);
$this->assertEquals(404, $response->getStatusCode());
}
} }