fix for issue 80

#80
Added support for content-type = application json in both client and
server side.

Author: mebjas

js/csrfprotector.js

@@ -290,8 +290,22 @@ function csrfprotector_init() {
 	function new_send(data) {
 		if (this.method.toLowerCase() === 'post') {
 			if (data !== null && typeof data === 'object') {
-				data.append(CSRFP.CSRFP_TOKEN, CSRFP._getAuthKey());
+				data[CSRFP.CSRFP_TOKEN] = CSRFP._getAuthKey();
 			} else {
+				// Added support for content type == application / json
+				if (this.headers && 'Content-Type' in this.headers
+					&& this.headers['Content-Type'] === 'application/json') {
+					try {
+						data = JSON.parse(data)
+						data[CSRFP.CSRFP_TOKEN] = CSRFP._getAuthKey();
+						return this.old_send(JSON.stringify(data));
+						
+					} catch (ex) {
+						console.log("[ERROR] [CSRF Protector] Unable to parse content ",
+							"when content-type is application/json", ex);
+					}
+				}
+
 				if (typeof data != "undefined") {
 					data += "&";
 				} else {
@@ -303,12 +317,27 @@ function csrfprotector_init() {
 		return this.old_send(data);
 	}
 
+	/**
+	 * Wrapper method to override setRequestHeader method of
+	 * XMLHttpRequests
+	 * @param: header - header name
+	 * @param: value - header value
+	 */
+	function new_setRequestHeader(header, value) {
+		if (!this.headers) this.headers = {};
+		this.headers[header] = value;
+
+		this.old_setRequestHeader(header, value);
+	}
+
 	if (window.XMLHttpRequest) {
 		// Wrapping
 		XMLHttpRequest.prototype.old_send = XMLHttpRequest.prototype.send;
 		XMLHttpRequest.prototype.old_open = XMLHttpRequest.prototype.open;
+		XMLHttpRequest.prototype.old_setRequestHeader = XMLHttpRequest.prototype.setRequestHeader;
 		XMLHttpRequest.prototype.open = new_open;
 		XMLHttpRequest.prototype.send = new_send;
+		XMLHttpRequest.prototype.setRequestHeader = new_setRequestHeader;
 	}
 	if (typeof ActiveXObject !== 'undefined') {
 		ActiveXObject.prototype.old_send = ActiveXObject.prototype.send;

libs/csrf/csrfprotector.php

@@ -25,6 +25,11 @@ class alreadyInitializedException extends \exception {};
 
 	class csrfProtector
 	{
+		/*
+		 * application/json content type
+		 */
+		const JSONCONTENTTYPE = "application/json";
+
 		/*
 		 * Variable: $cookieExpiryTime
 		 * expiry time for cookie
@@ -195,14 +200,30 @@ public static function authorizePost()
 				//set request type to POST
 				self::$requestType = "POST";
 
+				$token = (isset($_POST[self::$config['CSRFP_TOKEN']]))
+					? $_POST[self::$config['CSRFP_TOKEN']] : false;
+
+				if ($_SERVER["CONTENT_TYPE"] === self::JSONCONTENTTYPE) {
+					try {
+						$request_body = file_get_contents('php://input');
+						$request_body = json_decode($request_body, true);
+						if (isset($request_body[self::$config['CSRFP_TOKEN']])) {
+							$token = $request_body[self::$config['CSRFP_TOKEN']];
+						}
+					} catch (Exception $ex) {
+						// silently absorb this exception
+						// it could be because IO is blocked or json decode fails
+						// either way log it or add some handleing
+						// TODO ^^
+					}
+				}
+
 				//currently for same origin only
-				if (!(isset($_POST[self::$config['CSRFP_TOKEN']]) 
-					&& isset($_SESSION[self::$config['CSRFP_TOKEN']])
-					&& (self::isValidToken($_POST[self::$config['CSRFP_TOKEN']]))
-					)) {
+				if (!($token && isset($_SESSION[self::$config['CSRFP_TOKEN']])
+					&& (self::isValidToken($token)))) {
 
 					//action in case of failed validation
-					self::failedValidationAction();			
+					self::failedValidationAction();
 				} else {
 					self::refreshToken();	//refresh token for successfull validation
 				}