TokenMissmatchException Error on Cross-Domain External API

Asked 2 years ago, Updated 2 years ago, 84 views

Both those who hit and those who receive the API use Ravel as the framework, and they use guzzle to hit the external API.

At that time, a tokenMissMatchException error appears because TokenCheck is turned on for the destination project. (To be checked by VerifyCsrfToken middleware)

I skipped the header part of the program below with token, but the error remains the same.

What should I do to pass the token check when I hit the external API with guzzle?

$client=newClient();
// *** Destination *** URL
$url='https://dev.management.herokuapp.com/hoge/hoge_insert;
// transmission processing
$res=$client->request('post',$url,
        ['headers' =>]
            'Content-type' = > 'Application/json',
            'Authentication' = > csrf_token(),
        ],
        'timeout' = > 15000,
        'cache' = > false,
        'dataType' = > 'json',
             'data' = > [
                 'userId' = > 1
             ]
        ]);
    $data=json_decode($res->getBody(), true);
    $response=JsonResponse::create($data,200);
    $response->send();

javascript api cron

2022-09-30 18:17

2 Answers

The header name to send the CSRF token is incorrect, but if you want to call the API for another project, the calling party's csrf_token() is different from the API's csrf_token() value.

I mean, isn't it necessary to take measures against CSRF attacks?

The CSRF attack is that a third party can send a pre-stocked request in a logged-in session and perform the operation as a user.If you don't need to log in, or if an attacker can log in on his own, you can attack on your own without using this method, and this measure is meaningless.Also, if you are unable to "send pre-stocked requests in logged-in sessions," there is no point in taking action because you cannot attack them.

If you need to verify that this is a legitimate API call, you may want to limit it to an IP address, attach Message Authentication Code (MAC) to your request, or take another approach.


2022-09-30 18:17

If you look at Ravel's implementation of the VerifyCsrfToken class,
When you set token to the header, the name is "X-CSRF-TOKEN".
If you are expanding, I don't know what and how to receive it, so
I think we have no choice but to analyze or inquire about the external API.

protected function tokensMatch ($request)
{
    $sessionToken=$request->session()->token();
    $token=$request->input('_token'?:$request->header('X-CSRF-TOKEN');
    if(!$token&&$header=$request->header('X-XSRF-TOKEN')){
        $token=$this->encrypt->decrypt($header);
    }
    if(!is_string($sessionToken)||!is_string($token)){
        return false;
    }
    return hash_equals($sessionToken,$token);
}

Please try to correct the following.

'Authentication'=>csrf_token(),
↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓
'X-CSRF-TOKEN' = > csrf_token(),


2022-09-30 18:17

If you have any answers or tips


© 2024 OneMinuteCode. All rights reserved.