search

CakeDC / mixer

A plugin to discover and manage CakePHP plugins.
Other
45 stars 5 forks source link

Cross Site Request Forgery (CSRF) Problem #39

Open geraldurbas opened 6 years ago

geraldurbas commented 6 years ago

a Solution found: https://stackoverflow.com/a/47718018 == Avoid csfr Token for the mixer plugin

add to / src/Application.php

use Psr\Http\Message\ResponseInterface; use Psr\Http\Message\ServerRequestInterface;

and to

public function middleware($middleware) { $middleware->add(function ( ServerRequestInterface $request, ResponseInterface $response, callable $next ) { $params = $request->getAttribute('params'); if ($params['controller'] !== 'Mixer') { $csrf = new CsrfProtectionMiddleware([ 'httpOnly' => true ]);

                // This will invoke the CSRF middleware's `__invoke()` handler,
                // just like it would when being registered via `add()`.
                return $csrf($request, $response, $next);
            }

            return $next($request, $response);
        });

}

But maybe its better to add CSFR Support to the json requests for latest Cake