Security Access - Token Generation
ericciaparicio opened this issue · comments
I don't understand about generation of security tokens. Example:
$app->get('/foo', function ($request, $response, $args) {
// CSRF token name and value
$nameKey = $this->csrf->getTokenNameKey();
$valueKey = $this->csrf->getTokenValueKey();
$name = $request->getAttribute($nameKey);
$value = $request->getAttribute($valueKey);
});
$app->post('/bar', function ($request, $response, $args) {
// CSRF protection successful if you reached
// this far.
});
If /foo is public, anyone can generate a token and use to valid the access to another method (/bar). Any help about it?
The point is that you can only post to /bar if you have the same session as when you went to /foo.
Sorry... I don't understand...
Example: I have this code:
$app->get('/foo',function ($request, $response, $args) {
$nameKey = $this->csrf->getTokenNameKey();
$valueKey = $this->csrf->getTokenValueKey();
$name = $request->getAttribute($nameKey);
$value = $request->getAttribute($valueKey);
$tokenArray = [
$nameKey => $name,
$valueKey => $value
]
return $response->write(json_encode($tokenArray));
})
If /foo is public, anyone can post to /foo and get a security token. This token can to be used to post /products for example:
$app->post('/products/', function (Request $request, Response $response) {
$sql = "SELECT ..........";
$sth = $this->db->query($sql);
$todos = $sth->fetchAll();
return $response->withJson($todos);
});