Skip to content

fix(http): xsrf header validation #1616

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
innocenzi merged 6 commits into from
Oct 11, 2025
Merged

fix(http): xsrf header validation #1616

innocenzi merged 6 commits into from
Oct 11, 2025

Conversation

@NeoIsRecursive
Copy link
Contributor

@NeoIsRecursive NeoIsRecursive commented Oct 6, 2025
edited
Loading

When doing ajax requests users (me atleast) probably expect to use the xsrf-cookie value to provide an X-Xsrf-token header.

The issue is that the cookie value is an encrypted version of the csrf uuid, so the comparison will always fail (uuid != encryptedUuid).

I had to do an urldecode on the header value when I tested it in an application, which is why it is there. Should this be done on the client instead?

EDIT: seems like axios does this on the client, so it might be something the client should handle.
Maybe using urlencoded base64 strings by default would be nice? I think webauthn stuff uses that to make it easier sending the data around.

I used laravel as a reference for this fix/change:
https://github.com/laravel/framework/blob/1f0bcbf0941923d7f884459a9f5fcfbd16bb8ac8/src/Illuminate/Foundation/Http/Middleware/VerifyCsrfToken.php#L153

Would this be considered a breaking change?

@NeoIsRecursive NeoIsRecursive changed the title fix(http): csrf header validation fix(http): xsrf header validation Oct 6, 2025
@brendt brendt requested a review from innocenzi October 6, 2025 11:03
innocenzi
innocenzi requested changes Oct 6, 2025
View reviewed changes
@NeoIsRecursive
Copy link
Contributor Author

NeoIsRecursive commented Oct 10, 2025
edited
Loading

Hi @innocenzi , sorry for the ping but would appreciate a re-review when you've got the time. Thanks!
(sorry for being impatient, but inertia doesn't work unless you disable csrf atm 😅)

@innocenzi
Copy link
Member

innocenzi commented Oct 11, 2025

@NeoIsRecursive sorry for the delay, does Axios/Inertia work with this PR?

@NeoIsRecursive
Copy link
Contributor Author

NeoIsRecursive commented Oct 11, 2025

@innocenzi yes!

@innocenzi innocenzi merged commit d1ee721 into tempestphp:main Oct 11, 2025
79 checks passed
@innocenzi
Copy link
Member

innocenzi commented Oct 11, 2025

I'll trust you then, haven't had time to test it but it does look like it would 👍

@NeoIsRecursive NeoIsRecursive deleted the fix/xsrf-header-from-cookie-not-working branch October 11, 2025 19:50
@NeoIsRecursive
Copy link
Contributor Author

NeoIsRecursive commented Oct 12, 2025

I'll trust you then, haven't had time to test it but it does look like it would 👍

Heh, I did forget one thing and that was to test with the default cookie name (forgot I had changed that to match tempest), tempest has xsrf-token in lowercase while axios by default looks for the same but in uppercase.

I don't know if that is reason enough to change it to be uppercased?

Sorry for missing this... 🫣

@innocenzi
Copy link
Member

innocenzi commented Oct 12, 2025

I'm fine uppercasing it, I thought cookie names were case insensitive though?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@innocenzi innocenzi innocenzi approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@NeoIsRecursive @innocenzi