Log message #4199401

# At Username Text
# Aug 22nd 2019, 10:08 challgren Ok so heres a question when doing Integration Testing isn’t the CSRF token check disabled?
# Aug 22nd 2019, 10:03 ndm You could if it's not HTTP only, but on the first request there will be no cookie
# Aug 22nd 2019, 10:02 challgren in JS cant you get the cookie?
# Aug 22nd 2019, 10:02 ndm totally fine :slightly_smiling_face:
# Aug 22nd 2019, 10:02 neon1024 Feels a bit hacky
# Aug 22nd 2019, 10:01 ndm in your layout
# Aug 22nd 2019, 10:01 ndm @neon1024 Assign it to a global variable
# Aug 22nd 2019, 10:01 ndm @challgren The security token, for the security component
# Aug 22nd 2019, 10:01 neon1024 Not in Javascript I can’t
# Aug 22nd 2019, 10:01 ndm You can get the token in your view from the request object `$this->getRequest->getParam('_csrfToken')`
# Aug 22nd 2019, 10:01 challgren What am I thinking of that needs updated when the form changes?
# Aug 22nd 2019, 10:01 neon1024 Hm okay, thanks for the help @ndm I’ll look into this
# Aug 22nd 2019, 10:00 ndm It needs to send alongside your ajax request, and the the token needs to be in the data too, either as header (`X-CSRF-Token`) or as a field (`_csrfToken`)
# Aug 22nd 2019, 10:00 neon1024 So httpOnly blocks js
# Aug 22nd 2019, 09:59 neon1024 So I need this cookie?
# Aug 22nd 2019, 09:59 ndm @neon1024 @challgren No, it doesn't, the form helper just conveniently injects the token, but it doesn't generate it, that happens in the middleware, and it's not realted to any content
# Aug 22nd 2019, 09:58 challgren Has pretty much everything but the kitchen sink
# Aug 22nd 2019, 09:58 challgren Yeah I might switch to it!
# Aug 22nd 2019, 09:58 alexdd55976 inspinia looks really nice. thanks
# Aug 22nd 2019, 09:57 yamcomnet Confusing.. I will still get Orders that are authenticated = 0 as results?? Not really sure how this orWhere really should work?
# Aug 22nd 2019, 09:56 challgren So wouldnt the CSRF token change if you add or remove a field?
# Aug 22nd 2019, 09:56 neon1024 :S
# Aug 22nd 2019, 09:56 challgren `The CsrfProtectionMiddleware integrates seamlessly with FormHelper. Each time you create a form with FormHelper, it will insert a hidden field containing the CSRF token.`
# Aug 22nd 2019, 09:56 ndm from the security component
# Aug 22nd 2019, 09:56 ndm That's the security token
# Aug 22nd 2019, 09:56 challgren Yeah
# Aug 22nd 2019, 09:55 neon1024 @ndm Oh really? I thought it was a hash of the form fields?
# Aug 22nd 2019, 09:55 neon1024 Although if this was true, I could easily get the cookie in JS
# Aug 22nd 2019, 09:55 ndm CSRF protection doesn't care about your form content.
# Aug 22nd 2019, 09:55 neon1024 > The CSRF Token can be obtained via the Cookie csrfToken.
# Aug 22nd 2019, 09:55 neon1024 Disabling it seems like the way to go
# Aug 22nd 2019, 09:55 challgren Yep
# Aug 22nd 2019, 09:55 neon1024 ..but then I feel like I’d need an internal web service endpoint to which I can submit the form config and get a token back
# Aug 22nd 2019, 09:54 neon1024 This tiny snippet of docs makes me wonder if it is possible
# Aug 22nd 2019, 09:54 neon1024 https://book.cakephp.org/3.0/en/controllers/middleware.html#csrf-protection-and-ajax-requests
# Aug 22nd 2019, 09:54 challgren @neon1024 my option was to skip CSRF on those actions
# Aug 22nd 2019, 09:53 neon1024 As PHP will not have access to any of the form fields
# Aug 22nd 2019, 09:53 neon1024 When working in Javascript to build a form, how can I submit the correct CSRF Token? I am dynamically adding fields to the form using Javascript. So I assume the token needs to update every time a form field is added or removed? Or can I just skip the middleware for these few controller actions?
# Aug 22nd 2019, 09:49 alexdd55976 @neon1024 the paying decision is not on my... i will recommend buying a nice one, instead of hacking through some half assed free one
# Aug 22nd 2019, 09:48 neon1024 @alexdd55976 If you’re not interested in paying, there are some free ones here https://w3layouts.com/
# Aug 22nd 2019, 09:48 alexdd55976 @challgren thx