Support the ongoing development of Laravel.io →
Authentication Security Validation
Last updated 2 years ago.
0

Interesting, currently building a laravel app that implements angular and i was thinking about this the other day and how to interact with laravels own version.

with regards to the top bit of JS you could Laracasts https://github.com/laracasts/PHP-Vars-To-Js-Transformer to output this fro with in the class i used this today to do some js vars.

but it woudl be great to get feedback on the above to see if its worth implementing nice :-)

Last updated 2 years ago.
0

simondavies said:

Interesting, currently building a laravel app that implements angular and i was thinking about this the other day and how to interact with laravels own version.

with regards to the top bit of JS you could Laracasts https://github.com/laracasts/PHP-Vars-To-Js-Transformer to output this fro with in the class i used this today to do some js vars.

but it woudl be great to get feedback on the above to see if its worth implementing nice :-)

nice bundle but I think it's more cleaner/simple do like (at least in a spa)

Route::get('assets/base/scripts/config.js', array('as' => 'base.utils.jsconfig', 'uses' => 'App\Controllers\Base\UtilsController@jsConfig'));

namespace App\Controllers\Base;


use \App;
use \Config;
use \Input;
use \Response;
use \BaseController; 

class UtilsController extends BaseController 
{
    
    public function jsConfig()
    {
        $js = 'var config = {};';
        $response = Response::make($js, 200);
        $response->header('Content-Type','application/javascript; charset=UTF-8');
        return $response;
    }
        
}

[but it woudl be great to get feedback on the above to see if its worth implementing nice :-)]

yeah up to now I don't see any security hole (even if the cookie value can be seen) but just waiting :) and all in all it seems better than other like http://www.laravel-tricks.com/tricks/angularjs-csrf-token-constant

Last updated 2 years ago.
0

I really appreciate your code-sharing, I'm gonna use it in my current project

Last updated 2 years ago.
0

Why not set the cookie on the server side with Response::withCookie()? (http://laravel.com/docs/4.2/requests#cookies)

Setting the cookie on the client side with javascript after the initial response doesn't seem to be so robust as doing it together with the initial response.

Also it's worth pointing out that the current release of laravel does this automatically so this guide now only applies to users of Laravel 4 - http://laravel.com/docs/5.1/routing#csrf-x-xsrf-token

0

Also, just to point out the obvious, but you never actually validate the XSRF token in your filter against the server token so it's completely useless.

Here is a stripped back version of what I'm doing. Critical feedback welcome.

public function foo()
{
    // Build view
    $response = View::make($view, $data);

    // Set CSRF token cookie
    $cookie = Cookie::make('XSRF-TOKEN', csrf_token(), null, null, null, null, false);

    return Response::make($response, 200)->withCookie($cookie);
}

Route::filter('xsrf', function()
{

    $cookie = Cookie::get('XSRF-TOKEN');
    $header = Crypt::decrypt(Request::header('X-XSRF-TOKEN'));
    $csrf_token = \Session::token();

    if(is_null($header) ||      // No token in header? FAIL
       $cookie !== $header ||   // Cookie and header don't match? FAIL
       $header !== $csrf_token) // Header token invalid? FAIL
    {
        Log::warning('Invalid XSRF token. Received: "' + $header + '" Expected: "' + $csrf_token + '"');
        return Response::make('Forbidden', 401);
    }
});

Note that in the real thing the cookie has the secure flag set as the site is https only, but just in case someone copy/pastes this example without actually understanding it I'm not setting that flag here. If you are using https you should change the secure paramter to Cookie::make().

Last updated 9 years ago.
0

Sign in to participate in this thread!

Eventy

Your banner here too?

whisher whisher Joined 9 Feb 2014

Moderators

We'd like to thank these amazing companies for supporting us

Your logo here?

Laravel.io

The Laravel portal for problem solving, knowledge sharing and community building.

© 2024 Laravel.io - All rights reserved.