add ajax call for getting csfr token

2025-12-13 07:45:54 +00:00 · 2021-02-16 08:57:24 +00:00 · 2021-02-16 08:57:24 +00:00 · 138ad755a2
commit 138ad755a2
parent b782d0f3ab
2 changed files with 40 additions and 1 deletions
--- a/config/routes.php
+++ b/config/routes.php
@ -58,6 +58,9 @@ Router::scope('/', function (RouteBuilder $routes) {
        // Skip token check for API URLs.
      //die($request->getParam('controller'));
        $whitelist = ['JsonRequestHandler', 'ElopageWebhook'];
+        if($request->getParam('action') === 'ajaxGetCSFRToken') {
+            return true;
+        }
        foreach($whitelist as $entry) {
          if($request->getParam('controller') === $entry) {
            if($entry == 'ElopageWebhook') {
--- a/src/Controller/StateUsersController.php
+++ b/src/Controller/StateUsersController.php
@ -5,6 +5,8 @@ use Cake\Routing\Router;
 use Cake\I18n\I18n;
 use Cake\I18n\FrozenTime;
 use Cake\ORM\TableRegistry;
+use Cake\Http\Client;
+use Cake\Core\Configure;

 use App\Controller\AppController;
 use App\Form\UserSearchForm;
@ -43,7 +45,7 @@ class StateUsersController extends AppController
        $this->Auth->allow([
            'search', 'ajaxCopyLoginToCommunity', 'ajaxCopyCommunityToLogin',
            'ajaxDelete', 'ajaxCountTransactions', 'ajaxVerificationEmailResend',
-            'ajaxGetUserEmailVerificationCode'
+            'ajaxGetUserEmailVerificationCode', 'ajaxGetCSFRToken'
         ]);
        $this->set(
            'naviHierarchy',
@ -433,6 +435,40 @@ class StateUsersController extends AppController
        }
        return $this->returnJson(['state' => 'error', 'msg' => 'no post request']);
    }
+    
+    public function ajaxGetCSFRToken()
+    {
+        if ($this->request->is('post')) {
+            $jsonData = $this->request->input('json_decode', true);
+            $session_id = $jsonData['session_id'];
+            $client_ip = $this->request->clientIp();
+             
+            $loginServer = Configure::read('LoginServer');
+            $url = $loginServer['host'] . ':' . $loginServer['port'];
+            
+            $http = new Client();
+            $response = $http->get($url . '/login', ['session_id' => $session_id]);
+            $json = $response->getJson();
+
+            if (isset($json) && count($json) > 0) {
+                if ($json['state'] === 'success') {
+                    if($json['clientIP'] == $client_ip) {
+                        return $this->returnJson(['state' => 'success', 'csfr' => $this->request->getParam('_csrfToken')]);
+                    } else {
+                        return $this->returnJson([
+                            'state' => 'error',
+                            'msg' => 'client ip mismatch',
+                            'details' => ['login_server' => $json['clientIP'], 'caller' => $client_ip]]);
+                    }
+                } else {
+                    return $this->returnJson($json);
+                }
+            } else {
+                return $this->returnJson(['state' => 'error', 'invalid response form logins server']);
+            }
+        }
+        return $this->returnJson(['state' => 'error', 'msg' => 'no post']);
+    }
    /*

     getField(vnode, 'receive'),