correct xsrf cookie/header management

anlutro · Jul 17, 2015 · 18a951d · 18a951d
1 parent d536ca1
commit 18a951d
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 3 deletions.
diff --git a/src/Web/Filters/CsrfFilter.php b/src/Web/Filters/CsrfFilter.php
@@ -29,9 +29,11 @@ public function __construct(Store $session, $regenerate = true)
 	public function filter(Route $route, Request $request)
 	{
 		$token = $request->input('_token');
-
 		if (!$token) {
-			$token = $request->cookie('X-XSRF-TOKEN');
+			$token = $request->headers->get('X-XSRF-TOKEN');
+		}
+		if (!$token) {
+			$token = $request->cookie('XSRF-TOKEN');
 		}
 
 		if (!StringUtils::equals($this->session->token(), $token)) {

diff --git a/tests/Web/Filters/CsrfFilterTest.php b/tests/Web/Filters/CsrfFilterTest.php
@@ -42,6 +42,24 @@ public function readsInputToken($throws, $input, $sessionToken)
 		$filter->filter($route, $request);
 	}
 
+	/**
+	 * @test
+	 * @dataProvider getTokenData
+	 */
+	public function readsHeaderToken($throws, $input, $sessionToken)
+	{
+		$route = $this->mockRoute();
+		$request = Request::create('/', 'POST', []);
+		$request->headers->set('X-XSRF-TOKEN', $input);
+		$session = $this->mockSession();
+		$session->shouldReceive('token')->andReturn($sessionToken);
+		$filter = $this->makeFilter($session, false);
+		if ($throws) {
+			$this->setExpectedException('Illuminate\Session\TokenMismatchException');
+		}
+		$filter->filter($route, $request);
+	}
+
 	/**
 	 * @test
 	 * @dataProvider getTokenData
@@ -50,7 +68,7 @@ public function readsCookieToken($throws, $input, $sessionToken)
 	{
 		$route = $this->mockRoute();
 		$request = Request::create('/', 'POST', []);
-		$request->cookies->set('X-XSRF-TOKEN', $input);
+		$request->cookies->set('XSRF-TOKEN', $input);
 		$session = $this->mockSession();
 		$session->shouldReceive('token')->andReturn($sessionToken);
 		$filter = $this->makeFilter($session, false);