Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

FormProtector failing with csrfSessionMiddleware #17612

Open
KrzysiekNDS opened this issue Mar 8, 2024 · 0 comments
Open

FormProtector failing with csrfSessionMiddleware #17612

KrzysiekNDS opened this issue Mar 8, 2024 · 0 comments
Labels
defect testing
Milestone
5.0.9

Comments

@KrzysiekNDS
Copy link
Contributor

KrzysiekNDS commented Mar 8, 2024
edited

Description

In integration testing, when executing a GET request, I get an error Error: Unexpected field _csrfToken in POST data after executing a POST type query with csrf token enabled. Imo, we can solve the problem by skipping adding tokens when the method is GET and the data field is empty.

Test to prove:

    $this->enableSecurityToken();
    $this->enableCsrfToken();
    $this->post('/login');
    $this->get('/login');
    $this->assertResponseCode(200);

With CsrfProtectionMiddleware will pass, with sessionCsrfProtectionMiddleware will fail - Failed asserting that 200 matches response status code 400.

Code:

The error is due to the inconsistency of the code in CsrfProtectionMiddleware and in sessionCsrfProtectionMiddleware - in sessionCsrfProtectionMiddleware, the GET method is sufficient to skip removing data. In CsrfProtectionMiddleware method must be GET and $cookieData must be empty to skip removing data.

CakePHP Version

5.0.5

PHP Version

8.2
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
defect testing
Projects
None yet
Milestone
5.0.9
Development

No branches or pull requests
2 participants
@markstory @KrzysiekNDS