Joomla! Issue Tracker - CMS

Download
Launch
Feeling Lucky

[#28490] - check form token from ajax always fail

No Code Attached Yet
avatar ranggasito
ranggasito
28 Mar 2020

Steps to reproduce the issue

  • create amp-form with any method (post/get) in front-end
    create JHtml::('form.token') for post method
    create JSession::getFormToken() . '=1' for get method

  • check token from backend
    create plugin with ajax method and check the form token will always fail (returns false)

Expected result

it should be valid form token

Actual result

always failing (JSession::checkToken() always returns false) with post or get method

System information (as much as possible)

PHP 7.2
Joomla 3.9.16

Additional comments

avatar ranggasito ranggasito - open - 28 Mar 2020
avatar joomla-cms-bot joomla-cms-bot - change - 28 Mar 2020
Labels Added: ?
avatar joomla-cms-bot joomla-cms-bot - labeled - 28 Mar 2020
avatar ranggasito
ranggasito - comment - 28 Mar 2020

bellow is my code to check the form token, I create plugin with ajax method
and the results is always fail whether from post or get method.

public function onAjaxZeviteLogin() {
$app = JFactory::getApplication();
$input = $app->input;

    if ($input->get('formtoken') != JSession::getFormToken(false)) {
        http_response_code(400);
        echo json_encode(array("verifyErrors" => array('message' => 'sumber tidak valid')));
        jexit();
    }

    header("Access-Control-Allow-Origin: *");
    $verify = array("verifyErrors" => array());

// var_dump($input->get('password')); jexit();
$email = $input->get('email', '', 'USERNAME');
$pwd = $input->get('password', '', 'RAW');
if (empty($email) || empty($pwd)) {
array_push($verify['verifyErrors'], array(
'name' => 'email',
'message' => 'Email atau Password tidak boleh kosong'
));
}

    //UsersModelUser
    JLoader::register('UsersModelUsers', JPATH_ADMINISTRATOR . '/components/com_users/models/users.php');
    $model_user = JModelList::getInstance('ModelUsers', 'Users');
    $model_user->getState('filter.search');
    $model_user->setState('filter.search', $email);


    if (empty($model_user->getItems())) {
        array_push($verify['verifyErrors'], array(
            'name' => 'email',
            'message' => 'Email atau Password salah.'
        ));
    }

    $username = $model_user->getItems()[0]->username;
    if(!$app->login(array(
        'username' => $username,
        'password' => $pwd
    ))){
        array_push($verify['verifyErrors'], array(
            'name' => 'email',
            'message' => 'Email atau Password salah.'
        ));
    }

    if (!empty($verify['verifyErrors'])) {
        http_response_code(400);
        echo json_encode($verify);
        jexit();
    }



    header('Access-Control-Expose-Headers: AMP-Redirect-To');
    header('AMP-Redirect-To: ' . JUri::root() .'profile');
    echo new JResponseJson(null, 'okok');
    jexit();
}
avatar ranggasito
ranggasito - comment - 28 Mar 2020

this will fail too..

if (!JSession::checkToken()) {
http_response_code(400);
echo json_encode(array("verifyErrors" => array('message' => 'sumber tidak valid')));
jexit();
}

if (!JSession::checkToken('get')) {
http_response_code(400);
echo json_encode(array("verifyErrors" => array('message' => 'sumber tidak valid')));
jexit();
}

avatar joomdonation
joomdonation - comment - 28 Mar 2020

It's very likely there is something wrong with your code. You can borrow some code from Joomla which works properly:

avatar ranggasito
ranggasito - comment - 28 Mar 2020

My code is fine, if the form is from not amp format is fine, joomla can check token correctly, but with amp format is always fail. and if I dump the $_POST the token is there :

array (size=3) 'email' => string 'adul@gmail.com' (length=14) 'password' => string 'sdf' (length=3) '3111b860a3a5b12f06410b9cd3c6d409' => string '1' (length=1)

and still joomla faiils to check the token

avatar joomdonation
joomdonation - comment - 28 Mar 2020

Sorry, I don't have experience with amp format and could not help further. Maybe you can try to pass the token via GET instead of POST? Maybe you can post the code of the file which makes ajax request here so that developers has experience with amp can help checking further

avatar zero-24
zero-24 - comment - 28 Mar 2020

hmm you can also pass the token via http header:
https://github.com/joomla/joomla-cms/blob/staging/libraries/src/Session/Session.php#L314

But it would be interesting to debug the method mention above to get the reason that your code is not working. Can you set up the debugger and see what is happening in that method.

avatar jwaisner jwaisner - change - 29 Mar 2020
Status New Information Required
avatar brianteeman
brianteeman - comment - 26 Aug 2022

Thank you for raising this issue.

Joomla 3 is now in security only mode with no further bug fixes or new features.

As this issue doesn't relate to Joomla 4 it will now been closed.

If we are mistaken and this does apply to Joomla 4 please open a new issue (and reference this one if you wish) with updated details for testing in Joomla 4.
cc @zero-24

avatar Quy Quy - change - 26 Aug 2022
Status Information Required Closed
Closed_Date 0000-00-00 00:00:00 2022-08-26 22:54:26
Closed_By Quy
Labels Added: No Code Attached Yet
Removed: ?
avatar Quy Quy - close - 26 Aug 2022

Add a Comment

Login with GitHub to post a comment