wire-extender icon indicating copy to clipboard operation
wire-extender copied to clipboard
verified publisher icon wire-elements

IgnoreForWireExtender doesn't disable CSRF check on wire-extender's http requests.

Open chatisk opened this issue 11 months ago • 5 comments

New PR merged https://github.com/wire-elements/wire-extender/pull/38 doesn't recognize the request of wire-extender as of wire-extender's and throws 419 http response when embedding a component.

Specifically, the error lies in the isLivewireUpdateRequest. It returns false either by a request from inside the app, or outside the app (embedding a component into another site).

Downgraded it back to 1.0.0 and works ok. But the point of @dbpolito still stands. The trait is disabling all CSRF token checks for all requests.

chatisk avatar Feb 11 '25 11:02 chatisk

We have the same problem, for now we locked on 1.0.0

JoeyXitres avatar Feb 13 '25 16:02 JoeyXitres

Can you guys give more information? Wondering why this is happening there... It doesn't seem the case here...

Maybe it's failing on the embed request? But here it doesn't send any cookie so it doesn't even check for csrf.

Can you share the request object or the values used there? https://github.com/wire-elements/wire-extender/blob/main/src/Http/Middlewares/IgnoreForWireExtender.php#L43-L46

To understand why this is returning false?

dbpolito avatar Feb 13 '25 18:02 dbpolito

Can you guys give more information? Wondering why this is happening there... It doesn't seem the case here...

Maybe it's failing on the embed request? But here it doesn't send any cookie so it doesn't even check for csrf.

Can you share the request object or the values used there? https://github.com/wire-elements/wire-extender/blob/main/src/Http/Middlewares/IgnoreForWireExtender.php#L43-L46

To understand why this is returning false?

I am going to post some screenshots of my logs from Ray

chatisk avatar Feb 17 '25 18:02 chatisk

Same problem here. Seems like the custom headers are missing in the initial embed request. Also there is no snapshot in the initial request, which results in a 500er error, when I comment out the first if statement in the middleware.

Image Image

christianhanne avatar Mar 15 '25 15:03 christianhanne

I have the same issue. My solution for now is also to use v1.0.0.

I think the issue is that parent::handle() is now called if ! $this->isLivewireUpdateRequest($request) in v1.0.1 while it was not called in v1.0.0

https://github.com/wire-elements/wire-extender/commit/d7ca599a518d4fc43feb35217ac3544156710787#diff-419f5970a486c8dbd8db66010b9ffaac5493e6a285af93e801f85bbe75dc9568

MasterZydra avatar Jul 21 '25 10:07 MasterZydra