diff --git a/framework/core/src/Http/Middleware/AuthenticateWithHeader.php b/framework/core/src/Http/Middleware/AuthenticateWithHeader.php index 87f5bb51b..512f90101 100644 --- a/framework/core/src/Http/Middleware/AuthenticateWithHeader.php +++ b/framework/core/src/Http/Middleware/AuthenticateWithHeader.php @@ -40,12 +40,11 @@ class AuthenticateWithHeader implements Middleware $request = $request->withAttribute('apiKey', $key); $request = $request->withAttribute('bypassFloodgate', true); + $request = $request->withAttribute('bypassCsrfToken', true); } elseif ($token = AccessToken::find($id)) { $token->touch(); $actor = $token->user; - - $request = $request->withAttribute('bypassCsrfToken', true); } if (isset($actor)) { diff --git a/framework/core/src/Http/Middleware/CheckCsrfToken.php b/framework/core/src/Http/Middleware/CheckCsrfToken.php index 0d22ba340..d2b2d6da8 100644 --- a/framework/core/src/Http/Middleware/CheckCsrfToken.php +++ b/framework/core/src/Http/Middleware/CheckCsrfToken.php @@ -39,6 +39,7 @@ class CheckCsrfToken implements Middleware private function tokensMatch(Request $request): bool { $expected = (string) $request->getAttribute('session')->token(); + $provided = $request->getParsedBody()['csrfToken'] ?? $request->getHeaderLine('X-CSRF-Token'); diff --git a/framework/core/src/Http/Middleware/StartSession.php b/framework/core/src/Http/Middleware/StartSession.php index f5aee1573..4b4678b11 100644 --- a/framework/core/src/Http/Middleware/StartSession.php +++ b/framework/core/src/Http/Middleware/StartSession.php @@ -67,7 +67,7 @@ class StartSession implements Middleware return $this->withSessionCookie($response, $session); } - private function makeSession(Request $request) + private function makeSession(Request $request): Store { return new Store( $this->config['cookie'], @@ -76,12 +76,12 @@ class StartSession implements Middleware ); } - private function withCsrfTokenHeader(Response $response, Session $session) + private function withCsrfTokenHeader(Response $response, Session $session): Response { return $response->withHeader('X-CSRF-Token', $session->token()); } - private function withSessionCookie(Response $response, Session $session) + private function withSessionCookie(Response $response, Session $session): Response { return FigResponseCookies::set( $response, @@ -89,7 +89,7 @@ class StartSession implements Middleware ); } - private function getSessionLifetimeInSeconds() + private function getSessionLifetimeInSeconds(): int { return $this->config['lifetime'] * 60; } diff --git a/framework/core/tests/integration/api/csrf_protection/RequireCsrfTokenTest.php b/framework/core/tests/integration/api/csrf_protection/RequireCsrfTokenTest.php index a3cbf4dd6..83980c6e1 100644 --- a/framework/core/tests/integration/api/csrf_protection/RequireCsrfTokenTest.php +++ b/framework/core/tests/integration/api/csrf_protection/RequireCsrfTokenTest.php @@ -36,11 +36,11 @@ class RequireCsrfTokenTest extends TestCase 'group_permission' => [ ['permission' => 'viewUserList', 'group_id' => 3], ], - 'access_tokens' => [ - ['user_id' => 1, 'token' => 'superadmin', 'lifetime_seconds' => 30], + 'api_keys' => [ + ['user_id' => 1, 'key' => 'superadmin'], ], 'settings' => [ - ['key' => 'mail_driver', 'value' => 'smtp'], + ['key' => 'mail_driver', 'value' => 'mail'], ['key' => 'version', 'value' => Application::VERSION], ], ]); diff --git a/framework/core/tests/integration/tmp/storage/.gitkeep b/framework/core/tests/integration/tmp/storage/.gitkeep deleted file mode 100644 index e69de29bb..000000000