Don't throw a BadRequestHttpException right away if there's an invalid token

brandonkelly · brandonkelly · commit 33b404a3ac94 · 2025-10-28T14:41:26.000-07:00
Resolves #18000
diff --git a/CHANGELOG-WIP.md b/CHANGELOG-WIP.md
@@ -63,6 +63,7 @@
 - Added `craft\services\Structure::EVENT_AFTER_UPDATE_ELEMENT`.
 - Added `craft\services\Structure::EVENT_BEFORE_UPDATE_ELEMENT`.
 - Added `craft\web\GqlResponseFormatter`.
+- Added `craft\web\Request::getHasInvalidToken()`.
 - Added `craft\web\Response::FORMAT_GQL`.
 - Added `craft\web\twig\nodes\BaseNode`.
 - Added `Craft.BaseElementIndex::asyncSelectDefaultSource()`.
@@ -97,4 +98,5 @@
 - Improved element query performance. ([#17850](https://github.com/craftcms/cms/pull/17850))
 - Fixed a bug where elements with unsaved changes could show outdated attribute/field values within element index tables, chips, and cards throughout the control panel. ([#17915](https://github.com/craftcms/cms/pull/17915))
 - Fixed a bug where Table fields with the “Static Rows” setting enabled would lose track of which values belonged to which row headings, if the “Default Values” table was reordered. ([#17090](https://github.com/craftcms/cms/issues/17090))
+- Fixed a bug where requests with invalid tokens would throw an exception before the application was fully initialized, which could lead to other errors. ([#18000](https://github.com/craftcms/cms/issues/18000))
 - Updated Twig to 3.21. ([#17603](https://github.com/craftcms/cms/discussions/17603))
diff --git a/src/web/Application.php b/src/web/Application.php
@@ -107,6 +107,11 @@ public function init(): void
 
         $this->_postInit();
 
+        // If there's an invalid token on the request, throw an exception now
+        if ($this->getRequest()->getHasInvalidToken()) {
+            throw new BadRequestHttpException('Invalid token');
+        }
+
         // Process resource requests before we do anything to establish the user session
         $this->_processResourceRequest();
 
diff --git a/src/web/Request.php b/src/web/Request.php
@@ -188,6 +188,12 @@ class Request extends \yii\web\Request
      */
     private bool $_setBodyParams = false;
 
+    /**
+     * @var bool Whether the request has an invalid token.
+     * @see getHasInvalidToken())
+     */
+    private bool $_hasInvalidToken;
+
     /**
      * @var bool|null Whether the request initially had a token
      * @see getHadToken()
@@ -493,7 +499,6 @@ public function getPageNum(): int
      * Returns whether the request initially had a token.
      *
      * @return bool
-     * @throws BadRequestHttpException
      * @since 3.6.0
      */
     public function getHadToken(): bool
@@ -509,7 +514,6 @@ public function getHadToken(): bool
      * default), or an `X-Craft-Token` HTTP header on the request.
      *
      * @return string|null The token, or `null` if there isn’t one.
-     * @throws BadRequestHttpException if an invalid token is supplied
      * @see Tokens::createToken()
      * @see Controller::requireToken()
      */
@@ -528,34 +532,39 @@ public function getToken(): ?string
     public function setToken(?string $token): void
     {
         // Make sure $this->_hadToken has been set
-        try {
-            $this->_findToken();
-        } catch (BadRequestHttpException) {
-        }
+        $this->_findToken();
 
         $this->_token = $token;
     }
 
     /**
-     * Looks for a token on the request.
+     * Returns whether there is an invalid token on the request.
      *
-     * @throws BadRequestHttpException
+     * @return bool
+     * @since 5.9.0
+     */
+    public function getHasInvalidToken(): bool
+    {
+        $this->_findToken();
+        return $this->_hasInvalidToken;
+    }
+
+    /**
+     * Looks for a token on the request.
      */
     private function _findToken(): void
     {
-        if (isset($this->_hadToken)) {
+        if (isset($this->_hasInvalidToken)) {
             return;
         }
 
-        $this->_token = ($this->getQueryParam($this->generalConfig->tokenParam) ?? $this->getHeaders()->get('X-Craft-Token')) ?: null;
+        $token = ($this->getQueryParam($this->generalConfig->tokenParam) ?? $this->getHeaders()->get('X-Craft-Token')) ?: null;
+        $this->_hasInvalidToken = $token && !preg_match('/^[A-Za-z0-9_-]+$/', $token);
 
-        if ($this->_token && !preg_match('/^[A-Za-z0-9_-]+$/', $this->_token)) {
-            $this->_token = null;
-            $this->_hadToken = false;
-            throw new BadRequestHttpException('Invalid token');
+        if (!$this->_hasInvalidToken) {
+            $this->_token = $token;
+            $this->_hadToken = $token !== null;
         }
-
-        $this->_hadToken = isset($this->_token);
     }
 
     /**
