Add consistent CSRF token verification to API endpoints; address security concern with non-CSRF protected endpoints

2021-11-16 20:02:18 -08:00 · 2021-11-16 20:02:18 -08:00 · bf9cbe2c6d
commit bf9cbe2c6d
parent cc31a0a6d0
7 changed files with 59 additions and 14 deletions
--- a/resources/scripts/api/http.ts
+++ b/resources/scripts/api/http.ts
@ -7,10 +7,21 @@ const http: AxiosInstance = axios.create({
        'X-Requested-With': 'XMLHttpRequest',
        Accept: 'application/json',
        'Content-Type': 'application/json',
-        'X-CSRF-Token': (window as any).X_CSRF_TOKEN as string || '',
    },
 });

+http.interceptors.request.use(req => {
+    const cookies = document.cookie.split(';').reduce((obj, val) => {
+        const [ key, value ] = val.trim().split('=').map(decodeURIComponent);
+
+        return { ...obj, [key]: value };
+    }, {} as Record<string, string>);
+
+    req.headers['X-XSRF-TOKEN'] = cookies['XSRF-TOKEN'] || 'nil';
+
+    return req;
+});
+
 http.interceptors.request.use(req => {
    if (!req.url?.endsWith('/resources') && (req.url?.indexOf('_debugbar') || -1) < 0) {
        store.getActions().progress.startContinuous();
--- a/resources/views/admin/nodes/view/configuration.blade.php
+++ b/resources/views/admin/nodes/view/configuration.blade.php
@ -70,7 +70,11 @@
    @parent
    <script>
    $('#configTokenBtn').on('click', function (event) {
-        $.getJSON('{{ route('admin.nodes.view.configuration.token', $node->id) }}').done(function (data) {
+        $.ajax({
+            method: 'POST',
+            url: '{{ route('admin.nodes.view.configuration.token', $node->id) }}',
+            headers: { 'X-CSRF-TOKEN': '{{ csrf_token() }}' },
+        }).done(function (data) {
            swal({
                type: 'success',
                title: 'Token created.',
--- a/resources/views/admin/settings/mail.blade.php
+++ b/resources/views/admin/settings/mail.blade.php
@ -145,9 +145,9 @@
                showLoaderOnConfirm: true
            }, function () {
                $.ajax({
-                    method: 'GET',
+                    method: 'POST',
                    url: '/admin/settings/mail/test',
-                    headers: { 'X-CSRF-Token': $('input[name="_token"]').val() }
+                    headers: { 'X-CSRF-TOKEN': $('input[name="_token"]').val() }
                }).fail(function (jqXHR) {
                    showErrorDialog(jqXHR, 'test');
                }).done(function () {