CODEWITHSUNDEEP
laravelformsvue.jscsrflaravel-blade
Grinhoo
Grinhoo

Reputation: 21

CSRF Token not active

I'm trying to make a VueJs Form to include in a php.blade file where the user comment and rate between 0 and 5 stars. My problem is that the user can make a CSRF attack but I HAVE a CSRF token in my form.

I retrieve it from blade in vue. I put it in my form but it seems that this token have any effects.

Here is my component :

<template>
<form v-bind:action=this.route @submit.prevent="submit" method="POST" class="comment-form inline-items">
    <input type="hidden" name="_token" v-bind:value="this.csrf">
    <a class="h6 post__author-name fn">{{ this.user[0]['firstname'] }} {{ this.user[0]['lastname'] }}</a>
    <div class="post__author author vcard inline-items">
        <img alt="author">
        <div class="form-group with-icon-right ">
            <textarea name="content" v-model="content" class="form-control" placeholder=""></textarea>
            <star-rating v-model="rating" v-bind:star-size="25"></star-rating>
        </div>
    </div>
    <button type="submit" class="btn btn-md-2 btn-primary">Poster</button>
    <button class="btn btn-md-2 btn-border-think c-grey btn-transparent custom-color">Annuler</button>
</form
</template>

  <script>
import StarRating from 'vue-star-rating';
import axios from 'axios';
let token = document.head.querySelector('meta[name="csrf-token"]');

if (token) {
    window.axios.defaults.headers.common['X-CSRF-TOKEN'] = token.content;
} else {
    console.error('CSRF token not found: https://laravel.com/docs/csrf#csrf-x-csrf-token');
}

export default {
    components: {
        StarRating
    },
    props: ['csrf', 'user'],
    data() {
        return {
            'userid': this.user,
            'content': '',
            'rating': 0,
            'route': window.location.pathname,
        }
    },
    mounted() {
        console.log('test.')
    },
    methods: {
        submit:function() {
            axios.post(this.route, {
                content: this.content,
                rating: this.rating,
                route: this.route,
            }).then(function (response) {
                console.log(response)
            })
        },
    },
}

my app.js :

/**
 * First we will load all of this project's JavaScript dependencies which
 * includes Vue and other libraries. It is a great starting point when
 * building robust, powerful web applications using Vue and Laravel.
 */

require('./bootstrap');

window.Vue = require('vue');

/**
 * The following block of code may be used to automatically register your
 * Vue components. It will recursively scan this directory for the Vue
 * components and automatically register them with their "basename".
 *
 * Eg. ./components/ExampleComponent.vue -> <example-component></example-component>
 */

// const files = require.context('./', true, /\.vue$/i)
// files.keys().map(key => Vue.component(key.split('/').pop().split('.')[0], files(key).default))

Vue.component('example-component', require('./components/ExampleComponent.vue').default);

Vue.component('commentarypost-component', require('./components/CommentarypostComponent.vue').default);
Vue.component('commentary-component', require('./components/CommentaryComponent.vue').default);

Vue.component(
    'passport-clients',
    require('./components/passport/Clients.vue').default
);

Vue.component(
    'passport-authorized-clients',
    require('./components/passport/AuthorizedClients.vue').default
);

Vue.component(
    'passport-personal-access-tokens',
    require('./components/passport/PersonalAccessTokens.vue').default
);

/**
 * Next, we will create a fresh Vue application instance and attach it to
 * the page. Then, you may begin adding components to this application
 * or customize the JavaScript scaffolding to fit your unique needs.
 */

const app = new Vue({
    el: '#app',
});

my blade :

<div class="container">
    <div class="col col-xl-12 col-12">
        <h2 class="presentation-margin">Poster un commentaire</h2>
    </div>
    <div class="row">
        <div class="col col-lg-6 col-md-12 col-sm-12 col-12">
            <div id="app" class="ui-block">
                <commentarypost-component csrf="{{csrf_token()}}" :user="{{ $user }}"/>
            </div>
        </div>
    </div>
</div>

my bootstrap.js :

window._ = require('lodash');

/**
 * We'll load jQuery and the Bootstrap jQuery plugin which provides support
 * for JavaScript based Bootstrap features such as modals and tabs. This
 * code may be modified to fit the specific needs of your application.
 */

try {
    window.Popper = require('popper.js').default;
    window.$ = window.jQuery = require('jquery');

    require('bootstrap');
} catch (e) {}

/**
 * We'll load the axios HTTP library which allows us to easily issue requests
 * to our Laravel back-end. This library automatically handles sending the
 * CSRF token as a header based on the value of the "XSRF" token cookie.
 */

window.axios = require('axios');

window.axios.defaults.headers.common['X-Requested-With'] = 'XMLHttpRequest';

/**
 * Next we will register the CSRF Token as a common header with Axios so that
 * all outgoing HTTP requests automatically have it attached. This is just
 * a simple convenience so we don't have to attach every token manually.
 */

let token = document.head.querySelector('meta[name="csrf-token"]');

if (token) {
    window.axios.defaults.headers.common['X-CSRF-TOKEN'] = token.content;
} else {
    console.error('CSRF token not found: https://laravel.com/docs/csrf#csrf-x-csrf-token');
}

/**
 * Echo exposes an expressive API for subscribing to channels and listening
 * for events that are broadcast by Laravel. Echo and event broadcasting
 * allows your team to easily build robust real-time web applications.
 */

// import Echo from 'laravel-echo'

// window.Pusher = require('pusher-js');

// window.Echo = new Echo({
//     broadcaster: 'pusher',
//     key: process.env.MIX_PUSHER_APP_KEY,
//     cluster: process.env.MIX_PUSHER_APP_CLUSTER,
//     encrypted: true
// });

Here is the outputs :

Vuejs outputs

HTML meta

Form output

Upvotes: 2

Views: 1033

Answers (1)

senty
senty

Reputation: 12847

You don't need to include 'csrf' as a prop. In bootstrap.js, for Axios, csrf is taken care of.

Just add in your <head>: 

<head>
   <meta name="csrf-token" content="{{ csrf_token() }}">
</head>

Also in your component, you don't need this part as bootstrap.js is included in your app.js:

import axios from 'axios';
let token = document.head.querySelector('meta[name="csrf-token"]');

if (token) {
    window.axios.defaults.headers.common['X-CSRF-TOKEN'] = token.content;
} else {
    console.error('CSRF token not found: https://laravel.com/docs/csrf#csrf-x-csrf-token');
}

Upvotes: 1

Related Questions