@userfrosting/sprinkle-core

import { ref, watchEffect } from 'vue' import { useConfigStore } from '../stores' import axios from 'axios' /** * CSRF Protection Composable * * Automatically sets the CSRF token in the axios headers for all requests. * The CSRF token is read from the meta tags in the HTML document. * The CSRF token can updated when the server responds with a new token in the headers. * * @see https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#axios */ export const useCsrf = () => { /** * Public constant for the CSRF token name and value, plus respective keys. */ const key_name = ref(getNameKey()) const key_value = ref(getValueKey()) const name = ref(readMetaTag(key_name.value)) const token = ref(readMetaTag(key_value.value)) /** * Set the axios headers for CSRF protection */ function setAxiosHeader() { axios.defaults.headers.post[key_name.value] = name.value axios.defaults.headers.post[key_value.value] = token.value axios.defaults.headers.put[key_name.value] = name.value axios.defaults.headers.put[key_value.value] = token.value axios.defaults.headers.delete[key_name.value] = name.value axios.defaults.headers.delete[key_value.value] = token.value axios.defaults.headers.patch[key_name.value] = name.value axios.defaults.headers.patch[key_value.value] = token.value } /** * Get the CSRF token name and value keys from config. */ function getNameKey(): string { const config = useConfigStore() return config.get('csrf.name', 'csrf') + '_name' } function getValueKey(): string { const config = useConfigStore() return config.get('csrf.name', 'csrf') + '_value' } /** * Meta tag reader and writer */ function readMetaTag(name: string): string { return document.querySelector("meta[name='" + name + "']")?.getAttribute('content') ?? '' } function writeMetaTag(name: string, value: string) { const metaTag = document.querySelector("meta[name='" + name + "']") if (metaTag) { metaTag.setAttribute('content', value) } else { const newMetaTag = document.createElement('meta') newMetaTag.setAttribute('name', name) newMetaTag.setAttribute('content', value) document.head.appendChild(newMetaTag) } } /** * Update the CSRF token with the values from the request headers. * * N.B.: CSRF keys are hardcoded with '{name}_name' and '{name}_value' in * PHP. However, the headers doesn't allows underscores that are replaced * with dashes automatically. */ function updateFromHeaders(headers: any) { const config = useConfigStore() const nameKey = config.get('csrf.name', 'csrf') + '-name' const valueKey = config.get('csrf.name', 'csrf') + '-value' // Update both value only if the headers are present // This is to avoid overwriting the CSRF token with empty values if (nameKey in headers) { name.value = headers[nameKey] } if (valueKey in headers) { token.value = headers[valueKey] } } /** * Return if CSRF is enabled */ function isEnabled(): boolean { const config = useConfigStore() return config.get('csrf.enabled', true) } /** * Watchers - Watch for changes in the CSRF token and update the axios * headers + meta tags */ watchEffect(() => { if (isEnabled() && name.value !== '' && token.value !== '') { writeMetaTag(key_name.value, name.value) writeMetaTag(key_value.value, token.value) setAxiosHeader() } }) /** * Export functions and managed states */ return { key_name, key_value, name, token, isEnabled, updateFromHeaders } }