From 138ad755a263be4acc02dc0d65ab9b8a7a9f8f55 Mon Sep 17 00:00:00 2001
From: Dario Rekowski on RockPI <dario.rekowski@gmx.de>
Date: Tue, 16 Feb 2021 08:57:24 +0000
Subject: [PATCH 1/2] add ajax call for getting csfr token

---
 config/routes.php                       |  3 ++
 src/Controller/StateUsersController.php | 38 ++++++++++++++++++++++++-
 2 files changed, 40 insertions(+), 1 deletion(-)

diff --git a/config/routes.php b/config/routes.php
index ffbe4e504..7193363eb 100644
--- a/config/routes.php
+++ b/config/routes.php
@@ -58,6 +58,9 @@ Router::scope('/', function (RouteBuilder $routes) {
         // Skip token check for API URLs.
       //die($request->getParam('controller'));
         $whitelist = ['JsonRequestHandler', 'ElopageWebhook'];
+        if($request->getParam('action') === 'ajaxGetCSFRToken') {
+            return true;
+        }
         foreach($whitelist as $entry) {
           if($request->getParam('controller') === $entry) {
             if($entry == 'ElopageWebhook') {
diff --git a/src/Controller/StateUsersController.php b/src/Controller/StateUsersController.php
index c960bc05c..66ed74819 100644
--- a/src/Controller/StateUsersController.php
+++ b/src/Controller/StateUsersController.php
@@ -5,6 +5,8 @@ use Cake\Routing\Router;
 use Cake\I18n\I18n;
 use Cake\I18n\FrozenTime;
 use Cake\ORM\TableRegistry;
+use Cake\Http\Client;
+use Cake\Core\Configure;
 
 use App\Controller\AppController;
 use App\Form\UserSearchForm;
@@ -43,7 +45,7 @@ class StateUsersController extends AppController
         $this->Auth->allow([
             'search', 'ajaxCopyLoginToCommunity', 'ajaxCopyCommunityToLogin',
             'ajaxDelete', 'ajaxCountTransactions', 'ajaxVerificationEmailResend',
-            'ajaxGetUserEmailVerificationCode'
+            'ajaxGetUserEmailVerificationCode', 'ajaxGetCSFRToken'
          ]);
         $this->set(
             'naviHierarchy',
@@ -433,6 +435,40 @@ class StateUsersController extends AppController
         }
         return $this->returnJson(['state' => 'error', 'msg' => 'no post request']);
     }
+    
+    public function ajaxGetCSFRToken()
+    {
+        if ($this->request->is('post')) {
+            $jsonData = $this->request->input('json_decode', true);
+            $session_id = $jsonData['session_id'];
+            $client_ip = $this->request->clientIp();
+             
+            $loginServer = Configure::read('LoginServer');
+            $url = $loginServer['host'] . ':' . $loginServer['port'];
+            
+            $http = new Client();
+            $response = $http->get($url . '/login', ['session_id' => $session_id]);
+            $json = $response->getJson();
+
+            if (isset($json) && count($json) > 0) {
+                if ($json['state'] === 'success') {
+                    if($json['clientIP'] == $client_ip) {
+                        return $this->returnJson(['state' => 'success', 'csfr' => $this->request->getParam('_csrfToken')]);
+                    } else {
+                        return $this->returnJson([
+                            'state' => 'error',
+                            'msg' => 'client ip mismatch',
+                            'details' => ['login_server' => $json['clientIP'], 'caller' => $client_ip]]);
+                    }
+                } else {
+                    return $this->returnJson($json);
+                }
+            } else {
+                return $this->returnJson(['state' => 'error', 'invalid response form logins server']);
+            }
+        }
+        return $this->returnJson(['state' => 'error', 'msg' => 'no post']);
+    }
     /*
 
      getField(vnode, 'receive'),

From 1f875f1c9649f4be65766e94d6881ff3484f3036 Mon Sep 17 00:00:00 2001
From: Dario Rekowski on RockPI <dario.rekowski@gmx.de>
Date: Tue, 16 Feb 2021 09:19:54 +0000
Subject: [PATCH 2/2] change call for csfr token to get

---
 config/routes.php                       |  4 +-
 src/Controller/StateUsersController.php | 50 ++++++++++++-------------
 2 files changed, 26 insertions(+), 28 deletions(-)

diff --git a/config/routes.php b/config/routes.php
index 7193363eb..27d998f2c 100644
--- a/config/routes.php
+++ b/config/routes.php
@@ -58,9 +58,7 @@ Router::scope('/', function (RouteBuilder $routes) {
         // Skip token check for API URLs.
       //die($request->getParam('controller'));
         $whitelist = ['JsonRequestHandler', 'ElopageWebhook'];
-        if($request->getParam('action') === 'ajaxGetCSFRToken') {
-            return true;
-        }
+        
         foreach($whitelist as $entry) {
           if($request->getParam('controller') === $entry) {
             if($entry == 'ElopageWebhook') {
diff --git a/src/Controller/StateUsersController.php b/src/Controller/StateUsersController.php
index 66ed74819..d85f8b449 100644
--- a/src/Controller/StateUsersController.php
+++ b/src/Controller/StateUsersController.php
@@ -436,38 +436,38 @@ class StateUsersController extends AppController
         return $this->returnJson(['state' => 'error', 'msg' => 'no post request']);
     }
     
-    public function ajaxGetCSFRToken()
+    public function ajaxGetCSFRToken($session_id)
     {
-        if ($this->request->is('post')) {
-            $jsonData = $this->request->input('json_decode', true);
-            $session_id = $jsonData['session_id'];
-            $client_ip = $this->request->clientIp();
-             
-            $loginServer = Configure::read('LoginServer');
-            $url = $loginServer['host'] . ':' . $loginServer['port'];
-            
-            $http = new Client();
-            $response = $http->get($url . '/login', ['session_id' => $session_id]);
-            $json = $response->getJson();
+        if(!isset($session_id) || $session_id == 0) {
+            $this->returnJson(['state' => 'error', 'msg' => 'no session id']);
+        }
+        
+        $client_ip = $this->request->clientIp();
 
-            if (isset($json) && count($json) > 0) {
-                if ($json['state'] === 'success') {
-                    if($json['clientIP'] == $client_ip) {
-                        return $this->returnJson(['state' => 'success', 'csfr' => $this->request->getParam('_csrfToken')]);
-                    } else {
-                        return $this->returnJson([
-                            'state' => 'error',
-                            'msg' => 'client ip mismatch',
-                            'details' => ['login_server' => $json['clientIP'], 'caller' => $client_ip]]);
-                    }
+        $loginServer = Configure::read('LoginServer');
+        $url = $loginServer['host'] . ':' . $loginServer['port'];
+
+        $http = new Client();
+        $response = $http->get($url . '/login', ['session_id' => $session_id]);
+        $json = $response->getJson();
+
+        if (isset($json) && count($json) > 0) {
+            if ($json['state'] === 'success') {
+                if($json['clientIP'] == $client_ip) {
+                    return $this->returnJson(['state' => 'success', 'csfr' => $this->request->getParam('_csrfToken')]);
                 } else {
-                    return $this->returnJson($json);
+                    return $this->returnJson([
+                        'state' => 'error',
+                        'msg' => 'client ip mismatch',
+                        'details' => ['login_server' => $json['clientIP'], 'caller' => $client_ip]]);
                 }
             } else {
-                return $this->returnJson(['state' => 'error', 'invalid response form logins server']);
+                return $this->returnJson($json);
             }
+        } else {
+            return $this->returnJson(['state' => 'error', 'invalid response form logins server']);
         }
-        return $this->returnJson(['state' => 'error', 'msg' => 'no post']);
+        
     }
     /*