From 1f875f1c9649f4be65766e94d6881ff3484f3036 Mon Sep 17 00:00:00 2001 From: Dario Rekowski on RockPI Date: Tue, 16 Feb 2021 09:19:54 +0000 Subject: [PATCH] change call for csfr token to get --- config/routes.php | 4 +- src/Controller/StateUsersController.php | 50 ++++++++++++------------- 2 files changed, 26 insertions(+), 28 deletions(-) diff --git a/config/routes.php b/config/routes.php index 7193363eb..27d998f2c 100644 --- a/config/routes.php +++ b/config/routes.php @@ -58,9 +58,7 @@ Router::scope('/', function (RouteBuilder $routes) { // Skip token check for API URLs. //die($request->getParam('controller')); $whitelist = ['JsonRequestHandler', 'ElopageWebhook']; - if($request->getParam('action') === 'ajaxGetCSFRToken') { - return true; - } + foreach($whitelist as $entry) { if($request->getParam('controller') === $entry) { if($entry == 'ElopageWebhook') { diff --git a/src/Controller/StateUsersController.php b/src/Controller/StateUsersController.php index 66ed74819..d85f8b449 100644 --- a/src/Controller/StateUsersController.php +++ b/src/Controller/StateUsersController.php @@ -436,38 +436,38 @@ class StateUsersController extends AppController return $this->returnJson(['state' => 'error', 'msg' => 'no post request']); } - public function ajaxGetCSFRToken() + public function ajaxGetCSFRToken($session_id) { - if ($this->request->is('post')) { - $jsonData = $this->request->input('json_decode', true); - $session_id = $jsonData['session_id']; - $client_ip = $this->request->clientIp(); - - $loginServer = Configure::read('LoginServer'); - $url = $loginServer['host'] . ':' . $loginServer['port']; - - $http = new Client(); - $response = $http->get($url . '/login', ['session_id' => $session_id]); - $json = $response->getJson(); + if(!isset($session_id) || $session_id == 0) { + $this->returnJson(['state' => 'error', 'msg' => 'no session id']); + } + + $client_ip = $this->request->clientIp(); - if (isset($json) && count($json) > 0) { - if ($json['state'] === 'success') { - if($json['clientIP'] == $client_ip) { - return $this->returnJson(['state' => 'success', 'csfr' => $this->request->getParam('_csrfToken')]); - } else { - return $this->returnJson([ - 'state' => 'error', - 'msg' => 'client ip mismatch', - 'details' => ['login_server' => $json['clientIP'], 'caller' => $client_ip]]); - } + $loginServer = Configure::read('LoginServer'); + $url = $loginServer['host'] . ':' . $loginServer['port']; + + $http = new Client(); + $response = $http->get($url . '/login', ['session_id' => $session_id]); + $json = $response->getJson(); + + if (isset($json) && count($json) > 0) { + if ($json['state'] === 'success') { + if($json['clientIP'] == $client_ip) { + return $this->returnJson(['state' => 'success', 'csfr' => $this->request->getParam('_csrfToken')]); } else { - return $this->returnJson($json); + return $this->returnJson([ + 'state' => 'error', + 'msg' => 'client ip mismatch', + 'details' => ['login_server' => $json['clientIP'], 'caller' => $client_ip]]); } } else { - return $this->returnJson(['state' => 'error', 'invalid response form logins server']); + return $this->returnJson($json); } + } else { + return $this->returnJson(['state' => 'error', 'invalid response form logins server']); } - return $this->returnJson(['state' => 'error', 'msg' => 'no post']); + } /*