# |
Aug 15th 2019, 14:55 |
ndm |
It doesn't... it couldn't if it wanted to, as the middleware has already run when the controller layer is reached. Look into your routes. |
# |
Aug 15th 2019, 14:55 |
neon1024 |
I’ve cleared my app cache too! |
# |
Aug 15th 2019, 14:55 |
slackebot |
<neon1024> |
# |
Aug 15th 2019, 14:55 |
slackebot |
<neon1024> |
# |
Aug 15th 2019, 14:54 |
neon1024 |
It seems that the SecurityComponent adds the CsrfMiddleware for you |
# |
Aug 15th 2019, 14:54 |
ndm |
No, `FormHelper::secure()` generates the security component token `_Token`. The CSRF token is unrelated. |
# |
Aug 15th 2019, 14:53 |
neon1024 |
I’ll continue to dig around and see what happens :slightly_smiling_face: |
# |
Aug 15th 2019, 14:53 |
neon1024 |
So that’s progress on where I was |
# |
Aug 15th 2019, 14:53 |
neon1024 |
Submitting that as the `_Token[fields]` just gives a Csrf mismatch exception |
# |
Aug 15th 2019, 14:53 |
neon1024 |
So FormHelper::secure() generates the token into the hidden input `_csrfToken` |
# |
Aug 15th 2019, 14:51 |
ndm |
I was more pointing to the `getParam()` example ;) |
# |
Aug 15th 2019, 14:50 |
neon1024 |
Which is why I feel so lost |
# |
Aug 15th 2019, 14:50 |
neon1024 |
This is all just SecurityComponent |
# |
Aug 15th 2019, 14:50 |
neon1024 |
..and I don’t have that setup either |
# |
Aug 15th 2019, 14:50 |
martin |
hmm csrfcompontent had cookies that were readable by javascript I believe :P |
# |
Aug 15th 2019, 14:50 |
neon1024 |
Which says to use the Middleware |
# |
Aug 15th 2019, 14:50 |
ndm |
@neon1024 https://book.cakephp.org/3.0/en/controllers/components/csrf.html#using-the-csrfcomponent ;) |
# |
Aug 15th 2019, 14:49 |
neon1024 |
..and I don’t have the Csrf middleware |
# |
Aug 15th 2019, 14:49 |
neon1024 |
I wasn’t using Javascript to read the cookie |
# |
Aug 15th 2019, 14:49 |
martin |
you need to turn it on by the middleware |
# |
Aug 15th 2019, 14:49 |
martin |
by default the cookie of crsf is not readable by javascript |
# |
Aug 15th 2019, 14:49 |
neon1024 |
..but that doesn’t work, so yeah, I’ll give it a try, thanks! |
# |
Aug 15th 2019, 14:48 |
neon1024 |
@ndm The documentation said to use the cookie |
# |
Aug 15th 2019, 14:48 |
ndm |
On the first request there would be no cookie |
# |
Aug 15th 2019, 14:48 |
ndm |
@neon1024 Also you should better read the CSRF token from the request parameters, like `$this->getRequest->getParam('_csrfToken')` |
# |
Aug 15th 2019, 14:46 |
martin |
@ndm / @ricksaccous problem is that most of tables that I use (old ones) are in Europe/Amsterdam, but this database uses in UTC so wanted to set the single database to utc :P |
# |
Aug 15th 2019, 14:45 |
ndm |
`_Token[fields]` still wrong... or copy pasta error |
# |
Aug 15th 2019, 14:45 |
neon1024 |
..because `[]` !== `''` ? |
# |
Aug 15th 2019, 14:44 |
slackebot |
<neon1024> |
# |
Aug 15th 2019, 14:44 |
neon1024 |
Yep, I’ve done that |
# |
Aug 15th 2019, 14:43 |
ndm |
@neon1024 See `\Cake\View\Helper\FormHelper::secure()` also. |
# |
Aug 15th 2019, 14:43 |
martin |
@ndm ok, will try that |
# |
Aug 15th 2019, 14:42 |
ndm |
@neon1024 You're probably not sending the `X-CSRF-Token` header... and the security token is invalid because a) `fields` is supposed to be a hash (see `\Cake\Utility\Security\SecureFieldTokenTrait::_buildFieldToken()`, and `debug` should be an array where the first element is the current URL, the second element an array of fields, and the third element an array of unlocked fields. |
# |
Aug 15th 2019, 14:39 |
neon1024 |
If it takes more than 30 minutes to setup, then it’s not worth using |
# |
Aug 15th 2019, 14:39 |
neon1024 |
Although, I’ll be honest, I am close to removing both of them to solve the problem. |
# |
Aug 15th 2019, 14:38 |
neon1024 |
I added the CsrfProtectionMiddleware and now I can’t login to my application due to `CSRF token mismatch. Cake\Http\Exception\InvalidCsrfTokenException` so I’m just working to try and find out why that is. Then I can go back to figuring out why my `_Token` used by SecurityComponent is causing a 400 Bad Request on my Ajax :slightly_smiling_face: |
# |
Aug 15th 2019, 14:36 |
neon1024 |
I’ve worked myself into a circle here, and totally lost the plot. Sorry @ndm |
# |
Aug 15th 2019, 14:35 |
ndm |
@neon1024 The debug token contains for example the fields in plain text, it's used by the security component to figure the cause for a token mismatch, so that it can tell you what exactly the problem is. |
# |
Aug 15th 2019, 14:33 |
neon1024 |
This is a nightmare! |
# |
Aug 15th 2019, 14:33 |
neon1024 |
Turning on the Csrf Middlware means I can’t even login! |
# |
Aug 15th 2019, 14:25 |
neon1024 |
I wish the SecurityComponent was easy to use ,:( |