How do I send CSRF token authenticity from a php app that I own to a rails app that I own? -

-

i admin sugarcrm instance , have rails app on heroku. want able automatically add contacts rails app if added in sugarcrm. have written before_save logic_hook in sugarcrm:

    function pushconts($bean, $event, $arguments)     {         $r = new httprequest('http://localhost:3000/contacts/', httprequest::meth_post);         $r->addpostfields(array('first_name' => $bean->first_name, 'last_name' => $bean->last_name, 'phone' => $bean->phone_mobile,'email' => $bean->email1, ));         //$r->addheaders(array('x-csrf-token'=> 'testing-csrf-token');         try         {             echo $r->send()->getbody();         } catch(httpexception $ex){             sugarapplication::appenderrormessage("<span style='color: red; font-size: 1.8em;'>could not save contact: rails app down.</span>");             $queryparams = array('module' => 'contacts', 'action' => 'listview');             sugarapplication::redirect('index.php?' . http_build_query($queryparams));                   }

when try send is, console output rails app is:

started post "/contacts/" 127.0.0.1 @ 2015-06-18 15:30:14 -0500 processing contactscontroller#create */* parameters: {"first_name"=>"contact", "last_name"=>"one", "phone"=>"(555) 555-5555", "email"=>"phone.support@example.us"} can't verify csrf token authenticity completed 422 unprocessable entity in 1ms  actioncontroller::invalidauthenticitytoken (actioncontroller::invalidauthenticitytoken): actionpack (4.2.0) lib/action_controller/metal/request_forgery_protection.rb:181:in `handle_unverified_request' actionpack (4.2.0) lib/action_controller/metal/request_forgery_protection.rb:209:in `handle_unverified_request' devise (3.4.1) lib/devise/controllers/helpers.rb:251:in `handle_unverified_request'  <stack trace continues>

i know logic hook works because tried adding skip_before_filter :verify_authenticity_token contacts controller , worked expected security reasons, not feasible solution.

as can see commented out, tried sending x-csrf-token headers didn't work either.

what can add either logic hook or rails app (or both) can send http requests sugarcrm rails app without compromising (too much) security?

the rails csrf system not intended work across domains or servers. it leverages synchronizer tokens (cryptographically random tokens) bound user's session.

since rails , sugarcrm not share user session it's impossible rails validate csrf token sugarcrm.

your best bet turn off action skip_before_filter, only: [:create].

if need secure verify request sugarcrm server need use token based authentication.

many rails based api's use special controller , route actions can performed api clients. in case this:

post /api/v1/contacts

# routes.rb namespace :api   namespace :v1     resources :contacts   end end  # controllers/api/v1/api_controller class apicontroller < actioncontroller::base   skip_before_filter, only: [:create]     def authenticate     # @todo implement token based auth   end end  # controllers/api/v1/contacts_controller class api::v1::contactscontroller    before_action :authenticate    def create     @contact = contact.new(contact_params)      # ...   end    # ... end

Comments

Post a Comment

Popular posts from this blog

PHP DOM loadHTML() method unusual warning -

-
i had following code works fine on localhost: $document = new domdocument(); $document->loadhtml($p_result); $form = $document->getelementsbytagname('form')->item(0); // code continues using $form variable after same code updated on outside server, loadhtml() failed , issued warning. warning: domdocument::loadhtml() expects parameter 1 valid path, string given in path/name/to/script.php returned null instead of object code pretty gets fatal error. note contents of $p_result absolutely same on outside server , on localhost. but why displays kind of warning , why not work? doesn't loadhtml() expects argument 1 string in first place? why method expects parameter 1 valid path ? just make clear i'm not calling loadhtmlfile() , i'm calling loadhtml() . thanks. you're affected one of php bugs . issue present in php 5.6.8 , 5.6.9. have affected php version on server, , bug-free version on localhost. the bug forbids null
Read more

python - How to create jsonb index using GIN on SQLAlchemy? -

-
here's current code creating index jsonb. index("mytable_data_idx_id_key", mytable.data['id'].astext, postgresql_using='gin') but got error. sqlalchemy.exc.programmingerror: (psycopg2.programmingerror) data type text has no default operator class access method "gin" hint: must specify operator class index or define default operator class data type. [sql: "create index event_data_idx_id_key on event using gin ((data ->> 'id'))"] is there way create index on sqlalchemy? the postgresql specific sqlalchemy docs @ http://docs.sqlalchemy.org/en/latest/dialects/postgresql.html#operator-classes mention postgresql_ops dictionary provide "operator class" used postgresql, , provide example illustrating use: index('my_index', my_table.c.id, my_table.c.data, postgresql_ops={ 'data': 'text_pattern_ops',
Read more

c# - TransactionScope not rolling back although no complete() is called -

-
i'm using transactionscope rollback transaction fail bool errorreported = false; action<importerrorlog> newerrorcallback = e => { errorreported = true; errorcallback(e); }; using (var transaction = new transactionscope()) { foreach (importtaskdefinition task in taskdefinition) { loader.load(streamfile, newerrorcallback, task.destinationtable, processingtaskid); } if (!errorreported) transaction.complete(); } i'm sure there no transactionscope started ahead or after code. i'm using entity framework insert in db. regardless state of errorreported transaction never rolled in case of error. what missing ? transactionscope sets transaction.current . that's does. wants transacted must @ property. i believe ef each time connection opened reason. probably, connection open when scope installed. open connection inside of scope or enlist manually. ef has nasty "design decision": default opens
Read more