Add consistent CSRF token verification to API endpoints; address security concern with non-CSRF protected endpoints

2021-11-16 20:02:18 -08:00 · 2021-11-16 20:02:18 -08:00 · bf9cbe2c6d
commit bf9cbe2c6d
parent cc31a0a6d0
7 changed files with 59 additions and 14 deletions
--- a/resources/views/admin/nodes/view/configuration.blade.php
+++ b/resources/views/admin/nodes/view/configuration.blade.php
@ -70,7 +70,11 @@
    @parent
    <script>
    $('#configTokenBtn').on('click', function (event) {
-        $.getJSON('{{ route('admin.nodes.view.configuration.token', $node->id) }}').done(function (data) {
+        $.ajax({
+            method: 'POST',
+            url: '{{ route('admin.nodes.view.configuration.token', $node->id) }}',
+            headers: { 'X-CSRF-TOKEN': '{{ csrf_token() }}' },
+        }).done(function (data) {
            swal({
                type: 'success',
                title: 'Token created.',
--- a/resources/views/admin/settings/mail.blade.php
+++ b/resources/views/admin/settings/mail.blade.php
@ -145,9 +145,9 @@
                showLoaderOnConfirm: true
            }, function () {
                $.ajax({
-                    method: 'GET',
+                    method: 'POST',
                    url: '/admin/settings/mail/test',
-                    headers: { 'X-CSRF-Token': $('input[name="_token"]').val() }
+                    headers: { 'X-CSRF-TOKEN': $('input[name="_token"]').val() }
                }).fail(function (jqXHR) {
                    showErrorDialog(jqXHR, 'test');
                }).done(function () {