XF 2.0 CSRF Token

LandNetwork

LandNetwork

Member
Hi,

I'm using XenForo 2.0 for my site and I'm building an add-on. I find the documentation very lacking for 2.0 and am disappointed by this. Also, coming from a Laravel background, Zend and XenForo frameworks are fairly new to me.

All I am trying to do is retrieve a CSRF token in a view to allow me to make a POST request without getting the security problem message, but I can't figure out how to get the CSRF token from the add-on! Any help is much appreciated...

Regards.
 
In the vast majority of cases, you don't need to manually access a CSRF token as we will automatically add it. This applies if you are submitting a form and use an <xf:form> tag for it or if you use our ajax methods in JS. These would be the recommended approaches.

If you need a CSRF input for a form, in an XF template:
Code: 
<xf:csrf />
If you need the raw token:
Code: 
\XF::app()->get('csrf.token');
 
Mike said:
In the vast majority of cases, you don't need to manually access a CSRF token as we will automatically add it. This applies if you are submitting a form and use an <xf:form> tag for it or if you use our ajax methods in JS. These would be the recommended approaches.

If you need a CSRF input for a form, in an XF template:
Code: 
<xf:csrf />
If you need the raw token:
Code: 
\XF::app()->get('csrf.token');
Click to expand...

That's perfect. Perhaps worth adding to the documentation? (Unless it is already, and I just missed it?)
Further, is there any way to define a POST route? E.g. doesn't accept GET or any other methods. I've made a route that works with POST but seems to work with GET also?
 
We don't specify method restrictions in routes. That would generally be done in the controller (assertPostOnly if you need it).
 
Does one need a CSFR token to search XenForo (which is in the /forum directory) from the domain's index page? The index is a plain HTML page, which contains a search box pointing to /forum/search, but searching results in a security error.

Analogously, there is a login/password form on the index page, which Chrome autofills with the visitor's credentials since both the index and the forum are on the same domain, but going to /login and /register also return security errors.
 
You must log in or register to reply here.

Similar threads

S
  • Question Question
XF 2.1 How to skip CSRF token for a specific route?
Replies
0
Views
113
sajal
S
digitalpoint
CSRF token not always updated with XF.KeepAlive.refresh()
Replies
11
Views
1K
digitalpoint
digitalpoint
Joshb_
XF 2.3 OAuth Token use with the API
Replies
9
Views
95
TrevC2
TrevC2
X
  • Suggestion Suggestion
User recurring subscriptions - payment token support
Replies
0
Views
95
Xon
X
B
XF 2.2 loading image urls and hitting the auth/login-token request API trigger verification emails
Replies
3
Views
357
donwon
donwon
Back
Top Bottom