I'm using JWT auth in CakePHP to handle login action in Android App. I have disabled CSRF protection in Cake and passing token value through "SharedPreferencesConstants" class where token value is set using the code shown below:
// Running default handler
new Handler().post(new Runnable() {
@Override
public void run() {
fcm = new MyFireBaseIntanceIdservice();
String token = fcm.getrefeshtoken();
// Log.e("test", token);
SharedPreferencesConstants.setTOKEN(LoginActivity.this, token);
}
});
I have tried playing a bit with the token value, however.
The error I am getting as of now is "Error: [Cake\Http\Exception\InvalidCsrfTokenException] Missing CSRF token cookie".
The approaches I have tried so far is disabling the CSRF protection into Cake's AppController.
EditText txtEmail = (EditText) findViewById(R.id.txtEmail);
EditText txtPassword = (EditText) findViewById(R.id.txtPassword);
jsonObject.put("email", txtEmail.getText().toString());
jsonObject.put("password", txtPassword.getText().toString());
jsonObject.put("cookieName", "appname");
jsonObject.put("_Token", "_csrfToken");
jsonObject.put("deviceToken", SharedPreferencesConstants.getTOKEN(this));
jsonObject.put("secureKey", SharedPreferencesConstants.getSECUREKEY(this));
A thought that came through my mind as a projected solution is related to HTTP header to be passed in request. But, I couldn't locate any solution for this thought.
Any solution/suggestions?
Edit #1: On my AppController.php file, I have loaded only Security Component, not CSRF. Here is the code for same:
$this->loadComponent('Security');
// $this->loadComponent('Csrf');
And, code which I do have on my CustomersController.php beforeFilter() function is:
$this->getEventManager()->off($this->Csrf);
The JWT Auth code, I am having in my AppController is:
$this->loadComponent('Auth', [
'storage' => 'Memory',
'authenticate' => [
'ADmad/JwtAuth.Jwt' => [
'userModel' => 'Customers',
'fields' => [
'username' => 'email'
],
'parameter' => 'token',
// Boolean indicating whether the "sub" claim of JWT payload
// should be used to query the Users model and get user info.
// If set to `false` JWT's payload is directly returned.
'queryDatasource' => false,
],
'unauthorizedRedirect' => false,
'checkAuthIn' => 'Controller.initialize',
// If you don't have a login action in your application set
// 'loginAction' to false to prevent getting a MissingRouteException.
'loginAction' => false
],
]);
I hope the new code, I've added might help you to get a better picture of the problem.
I got the answer for this problem. And, all thanks goes to @GregSchmidt. It's because of his kind suggestions. So, here is what I did.
There were few lines of code in my routes.php file under config folder which I commented all through. Below are the lines of code :
$routes->registerMiddleware('csrf', new CsrfProtectionMiddleware([
'httpOnly' => true
]));
And
$routes->applyMiddleware('csrf');
Finally, I removed all my Csrf disabling codes from Controllers and the magic finally happened. :)