Log message #4199421

# At Username Text
# Aug 22nd 2019, 10:20 neon1024 Needs work imho
# Aug 22nd 2019, 10:19 neon1024 RIP CSRF Middleware
# Aug 22nd 2019, 10:19 neon1024 Lol, even the whitelist callback doesn’t work
# Aug 22nd 2019, 10:17 neon1024 Yep
# Aug 22nd 2019, 10:16 ndm You mean the paramter in the request object is empty?
# Aug 22nd 2019, 10:13 neon1024 I’ll use the whitelist callback
# Aug 22nd 2019, 10:13 neon1024 So when I hit this page, my `_csrfToken` is empty
# Aug 22nd 2019, 10:13 ndm I'm not overly familiar with Vue.js, but I don't see how adding a script tag on top wouldn't work
# Aug 22nd 2019, 10:11 neon1024 This is my template
# Aug 22nd 2019, 10:11 slackebot2 <neon1024>
# Aug 22nd 2019, 10:10 neon1024 I’m using Vue.js to build a component which manages the whole template
# Aug 22nd 2019, 10:10 ndm what does "rendering javascript" mean
# Aug 22nd 2019, 10:10 neon1024 I think I’ll just turn off CSRF for this prefix
# Aug 22nd 2019, 10:09 neon1024 Seems to work on other pages
# Aug 22nd 2019, 10:09 neon1024 Adding the token to the layout doesn’t work when I’m redering my javascript
# Aug 22nd 2019, 10:09 challgren Ahh ok
# Aug 22nd 2019, 10:09 ndm @challgren Oh wait, I think I misunderstood you... the cookie would be there. Still I think passing the value to JS is cleaner, no need to parse the cookie string, and to make the cookie insecure
# Aug 22nd 2019, 10:09 hippo ``` $this->enableCsrfToken(); $this->enableSecurityToken(); ```
# Aug 22nd 2019, 10:08 challgren Is there anyway to explicitly turn it on?
# Aug 22nd 2019, 10:08 hippo Yes
# Aug 22nd 2019, 10:08 challgren Ok so heres a question when doing Integration Testing isn’t the CSRF token check disabled?
# Aug 22nd 2019, 10:03 ndm You could if it's not HTTP only, but on the first request there will be no cookie
# Aug 22nd 2019, 10:02 challgren in JS cant you get the cookie?
# Aug 22nd 2019, 10:02 ndm totally fine :slightly_smiling_face:
# Aug 22nd 2019, 10:02 neon1024 Feels a bit hacky
# Aug 22nd 2019, 10:01 ndm in your layout
# Aug 22nd 2019, 10:01 ndm @neon1024 Assign it to a global variable
# Aug 22nd 2019, 10:01 ndm @challgren The security token, for the security component
# Aug 22nd 2019, 10:01 neon1024 Not in Javascript I can’t
# Aug 22nd 2019, 10:01 ndm You can get the token in your view from the request object `$this->getRequest->getParam('_csrfToken')`
# Aug 22nd 2019, 10:01 challgren What am I thinking of that needs updated when the form changes?
# Aug 22nd 2019, 10:01 neon1024 Hm okay, thanks for the help @ndm I’ll look into this
# Aug 22nd 2019, 10:00 ndm It needs to send alongside your ajax request, and the the token needs to be in the data too, either as header (`X-CSRF-Token`) or as a field (`_csrfToken`)
# Aug 22nd 2019, 10:00 neon1024 So httpOnly blocks js
# Aug 22nd 2019, 09:59 neon1024 So I need this cookie?
# Aug 22nd 2019, 09:59 ndm @neon1024 @challgren No, it doesn't, the form helper just conveniently injects the token, but it doesn't generate it, that happens in the middleware, and it's not realted to any content
# Aug 22nd 2019, 09:58 challgren Has pretty much everything but the kitchen sink
# Aug 22nd 2019, 09:58 challgren Yeah I might switch to it!
# Aug 22nd 2019, 09:58 alexdd55976 inspinia looks really nice. thanks
# Aug 22nd 2019, 09:57 yamcomnet Confusing.. I will still get Orders that are authenticated = 0 as results?? Not really sure how this orWhere really should work?
# Aug 22nd 2019, 09:56 challgren So wouldnt the CSRF token change if you add or remove a field?