How do I send CSRF token authenticity from a php app that I own to a rails app that I own? -
i admin sugarcrm instance , have rails app on heroku. want able automatically add contacts rails app if added in sugarcrm. have written before_save logic_hook in sugarcrm:
function pushconts($bean, $event, $arguments) { $r = new httprequest('http://localhost:3000/contacts/', httprequest::meth_post); $r->addpostfields(array('first_name' => $bean->first_name, 'last_name' => $bean->last_name, 'phone' => $bean->phone_mobile,'email' => $bean->email1, )); //$r->addheaders(array('x-csrf-token'=> 'testing-csrf-token'); try { echo $r->send()->getbody(); } catch(httpexception $ex){ sugarapplication::appenderrormessage("<span style='color: red; font-size: 1.8em;'>could not save contact: rails app down.</span>"); $queryparams = array('module' => 'contacts', 'action' => 'listview'); sugarapplication::redirect('index.php?' . http_build_query($queryparams)); }
when try send is, console output rails app is:
started post "/contacts/" 127.0.0.1 @ 2015-06-18 15:30:14 -0500 processing contactscontroller#create */* parameters: {"first_name"=>"contact", "last_name"=>"one", "phone"=>"(555) 555-5555", "email"=>"phone.support@example.us"} can't verify csrf token authenticity completed 422 unprocessable entity in 1ms actioncontroller::invalidauthenticitytoken (actioncontroller::invalidauthenticitytoken): actionpack (4.2.0) lib/action_controller/metal/request_forgery_protection.rb:181:in `handle_unverified_request' actionpack (4.2.0) lib/action_controller/metal/request_forgery_protection.rb:209:in `handle_unverified_request' devise (3.4.1) lib/devise/controllers/helpers.rb:251:in `handle_unverified_request' <stack trace continues>
i know logic hook works because tried adding skip_before_filter :verify_authenticity_token
contacts controller , worked expected security reasons, not feasible solution.
as can see commented out, tried sending x-csrf-token
headers didn't work either.
what can add either logic hook or rails app (or both) can send http requests sugarcrm rails app without compromising (too much) security?
the rails csrf system not intended work across domains or servers. it leverages synchronizer tokens (cryptographically random tokens) bound user's session.
since rails , sugarcrm not share user session it's impossible rails validate csrf token sugarcrm.
your best bet turn off action skip_before_filter, only: [:create]
.
if need secure verify request sugarcrm server need use token based authentication.
many rails based api's use special controller , route actions can performed api clients. in case this:
post /api/v1/contacts
# routes.rb namespace :api namespace :v1 resources :contacts end end # controllers/api/v1/api_controller class apicontroller < actioncontroller::base skip_before_filter, only: [:create] def authenticate # @todo implement token based auth end end # controllers/api/v1/contacts_controller class api::v1::contactscontroller before_action :authenticate def create @contact = contact.new(contact_params) # ... end # ... end
Comments
Post a Comment