CSRF Token

drtzack · April 19, 2015, 6:16pm

I am using Laravel and It pass CSRF_TOKEN as header. I can’t use webix_security because I am using json. So How to use CSRF_TOKEN with Laravel?

maksim · April 20, 2015, 9:41am

Hi,

It is possible to use “data proxy” to hide the details of CSRF token receiving and sending.

http://docs.webix.com/desktop__server_proxy.html#creatingcustomproxyobjects

Can you point please to related doc, how CSRF token is provided and how it must be sent back for Laravel backend?

drtzack · April 20, 2015, 4:31pm

Thank you. I defined X-XSRF-TOKEN header. It works.

in Webix

webix.ajax().headers({‘X-CSRF-TOKEN’: $(‘meta[name=“csrf-token”]’).attr(‘content’)});

In Laravel5

< meta name=“csrf-token” content="<?php echo csrf_token()?>" />

aeze · May 13, 2015, 12:52am

Is it possible to pass CSRF tokens on filemanager actions?

Maria · May 13, 2015, 1:15pm

Hello,

The existent version does not provide solution to add header.

But we will add a solution in the next build. The 5th parameter for onBeforeAjax handlers will be hash of request headers.

aeze · May 13, 2015, 2:01pm

Thanks for the response Maria. I guess I’ll have to wait. =)

Maria · May 13, 2015, 2:12pm

The build is planned to be released within the next 1-2 weeks. If you need the solution ASAP, please open a ticket in members’ area.

eBizo · December 26, 2017, 1:37pm

Hi, how can i add CSRF token to filemanager actions?

    webix.attachEvent("onBeforeAjax", function(mode, url, data, request, headers, files, promise){
        headers["X-CSRF-TOKEN"]= $('meta[name="csrf-token"]').attr('content');
    });

It works except downloading action.

maksim · January 18, 2018, 1:02pm

Downloading action navigates a browser to the target file, there is no ajax call here so extra headers can’t be added.

It possible to implement your own action, which will download file by ajax request, in which case the same onBeforeAjax event will work for header modification.

Michael · January 31, 2019, 1:52pm

Hello, I set a security plugin for cakephp and start loading over

webix.ajax().post(path+‘0’, object, …

object is a json object.

Also I have set:

webix.attachEvent(‘onBeforeAjax’,
function(mode, url, data, request, headers){
‘use strict’;
headers[‘X-CSRF-Token’] = <_Token>;
}
);

But I’ll get :

‘_Token’ was not found in request data.

or

‘_Token.fields’ was not found in request data.

this would be nessesary if I submit a form. But in most cases I just post json objects.

If you got an idea, please let me know.

Michael

maksim · January 31, 2019, 2:44pm

The onBeforeAjax handler must affect all ajax calls
You can use dev.tools to check the HTTP request headers, to be sure that valid token header is added to the request

Michael · February 1, 2019, 2:26pm

Hi maksim.

On html page I set :

<?= $this->request->getParam('_csrfToken') ?>

and in

webix.attachEvent(‘onBeforeAjax’,
function(mode, url, data, request, headers){
‘use strict’;
headers[‘X-CSRF-Token’] = $(’#csrfToken’).html();
}
);

but on:

webix.ajax().post(path, object, {})

I’ll get

‘_Token’ was not found in request data.

that meants this will interpreted as a form submit with a hidden field for _Token[fields]=!

Request header has X-CSRF-Token:

Response header got: HTTP/1.1 400 Bad Request

maksim · February 1, 2019, 3:11pm

If request has a valid token, than it must be some mis-configuration on the server side. ( be sure that token is exactly same, if token string has some special chars, they may be corrupted by HTML parser )

Michael · February 5, 2019, 8:43am

Thank you maksim.

One example with a login form:
I come along with this csrf-token for a formbuilder in cakephp I’ll get this
on submit to server I’ll get this:
email: test@ema.il
password: test1234
_Token[fields]: 55e5bf45c46dcd370a9fc1cda0de12a55356345a%3A
_Token[unlocked]:
_Token[debug]: %5B%22%5C%2FUsers%5C%2Flogin%22%2C%5B%22email%22%2C%22password%22%5D%2C%5B%5D%5D

automatic in a form. The Token will be checked on server side but on sending json I should always send this Token with the json. How can I add this Token always with a json object?

Does it as something to do with JSON Web Token?

THank you for any hint

Michael

maksim · February 6, 2019, 4:41pm

You can use the same onBeforeAjax event, third parameter is the post payload ( hash of keys, or json object ) which can be altered similar to he headers.

Michael · February 11, 2019, 2:17pm

Hello.

Thank you maksim. The problem is middleware provides security formbuilder functionality. means every form build with cakephp (or symfony) gets this _Token[fields] etc… but when building a webix form there is no such security build in. So I have to add this afterwards. Is there a possibility to send this security Token also with webix formbuilder?

Thank you
Michael