TokenMissmatchException Error on Cross-Domain External API

Asked 1 years ago, Updated 1 years ago, 61 views

Both those who hit and those who receive the API use Ravel as the framework, and they use guzzle to hit the external API.

At that time, a tokenMissMatchException error appears because TokenCheck is turned on for the destination project. (To be checked by VerifyCsrfToken middleware)

I skipped the header part of the program below with token, but the error remains the same.

What should I do to pass the token check when I hit the external API with guzzle?

$client=newClient();
// *** Destination *** URL
$url='https://dev.management.herokuapp.com/hoge/hoge_insert;
// transmission processing
$res=$client->request('post',$url,
        ['headers' =>]
            'Content-type' = > 'Application/json',
            'Authentication' = > csrf_token(),
        ],
        'timeout' = > 15000,
        'cache' = > false,
        'dataType' = > 'json',
             'data' = > [
                 'userId' = > 1
             ]
        ]);
    $data=json_decode($res->getBody(), true);
    $response=JsonResponse::create($data,200);
    $response->send();

javascript api cron

2022-09-30 18:17

2 Answers

The header name to send the CSRF token is incorrect, but if you want to call the API for another project, the calling party's csrf_token() is different from the API's csrf_token() value.

I mean, isn't it necessary to take measures against CSRF attacks?

The CSRF attack is that a third party can send a pre-stocked request in a logged-in session and perform the operation as a user.If you don't need to log in, or if an attacker can log in on his own, you can attack on your own without using this method, and this measure is meaningless.Also, if you are unable to "send pre-stocked requests in logged-in sessions," there is no point in taking action because you cannot attack them.

If you need to verify that this is a legitimate API call, you may want to limit it to an IP address, attach Message Authentication Code (MAC) to your request, or take another approach.

2022-09-30 18:17

If you look at Ravel's implementation of the VerifyCsrfToken class,
When you set token to the header, the name is "X-CSRF-TOKEN".
If you are expanding, I don't know what and how to receive it, so
I think we have no choice but to analyze or inquire about the external API.

protected function tokensMatch ($request)
{
    $sessionToken=$request->session()->token();
    $token=$request->input('_token'?:$request->header('X-CSRF-TOKEN');
    if(!$token&&$header=$request->header('X-XSRF-TOKEN')){
        $token=$this->encrypt->decrypt($header);
    }
    if(!is_string($sessionToken)||!is_string($token)){
        return false;
    }
    return hash_equals($sessionToken,$token);
}

Please try to correct the following.

'Authentication'=>csrf_token(),
↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓
'X-CSRF-TOKEN' = > csrf_token(),

2022-09-30 18:17

If you have any answers or tips

Popular Tags
python x 4647
android x 1593
java x 1494
javascript x 1427
c x 927
c++ x 878
ruby-on-rails x 696
php x 692
python3 x 685
html x 656
Popular Questions

533 Scrap text information after the "View More" button when searching in the Yahoo! News search window

505 No exact matches in call to instance method 'append'

533 Who developed the "avformat-59.dll" that comes with FFmpeg?

503 The method of the class of the application that I am creating in Typescript does not work as I expected.

526 rails db:create error: Could not find mysql2-0.5.4 in any of the sources

© 2024 OneMinuteCode. All rights reserved.