From d5318f7e1657a5fac4dbe84c6a5aae7d1920f471 Mon Sep 17 00:00:00 2001 From: mirivlad Date: Fri, 17 Apr 2026 18:59:12 +0800 Subject: [PATCH] fix: Delete groups/servers using fetch with CSRF header - Create CsrfHeaderMiddleware to read X-CSRF-TOKEN header - Replace form submit with JavaScript fetch for DELETE operations - Send CSRF token in X-CSRF-TOKEN header - Fix groups/index.twig and servers/index.twig delete buttons --- public/index.php | 5 ++-- src/Middlewares/CsrfHeaderMiddleware.php | 24 +++++++++++++++ templates/groups/index.twig | 38 +++++++++++++++++++----- templates/servers/index.twig | 37 ++++++++++++++++++----- 4 files changed, 86 insertions(+), 18 deletions(-) create mode 100644 src/Middlewares/CsrfHeaderMiddleware.php diff --git a/public/index.php b/public/index.php index 1bdd7c9..9f4f8ac 100755 --- a/public/index.php +++ b/public/index.php @@ -12,6 +12,7 @@ use App\Controllers\ServerDetailController; use App\Controllers\DashboardController; use App\Middlewares\AuthMiddleware; use App\Middlewares\SessionMiddleware; +use App\Middlewares\CsrfHeaderMiddleware; use App\Models\User; use App\Models\Server as ServerModel; use Psr\Http\Message\ResponseInterface as Response; @@ -195,7 +196,7 @@ $groupsGroup = $app->group('/groups', function ($group) use ($groupController) { $group->post('/{id}', [$groupController, 'update']); $group->delete('/{id}', [$groupController, 'delete']); $group->get('/{id}', [$groupController, 'show']); -})->add($csrfMiddleware)->add(AuthMiddleware::class); +})->add($csrfMiddleware)->add(new CsrfHeaderMiddleware())->add(AuthMiddleware::class); // Redirect old /server/{id} to /servers/{id} $app->get("/server/{id}", function ($request, $response, $args) { @@ -213,7 +214,7 @@ $serversGroup = $app->group('/servers', function ($group) use ($serverController $group->get('/{id}/regenerate-token', [$serverController, 'regenerateToken']); $group->post('/{id}/thresholds', [$serverDetailController, 'saveThresholds']); $group->post('/{id}/services', [$serverDetailController, 'saveServices']); -})->add($csrfMiddleware)->add(AuthMiddleware::class); +})->add($csrfMiddleware)->add(new CsrfHeaderMiddleware())->add(AuthMiddleware::class); // Server detail route (protected with auth middleware and csrf) $app->get('/servers/{id}', [$serverDetailController, 'show'])->add(AuthMiddleware::class); diff --git a/src/Middlewares/CsrfHeaderMiddleware.php b/src/Middlewares/CsrfHeaderMiddleware.php new file mode 100644 index 0000000..f4110cf --- /dev/null +++ b/src/Middlewares/CsrfHeaderMiddleware.php @@ -0,0 +1,24 @@ +getHeaderLine('X-CSRF-TOKEN'); + + if ($token) { + $parsedBody = $request->getParsedBody() ?? []; + $parsedBody['csrf_value'] = $token; + $request = $request->withParsedBody($parsedBody); + } + + return $handler->handle($request); + } +} diff --git a/templates/groups/index.twig b/templates/groups/index.twig index 62a93d6..ae8dfdd 100755 --- a/templates/groups/index.twig +++ b/templates/groups/index.twig @@ -1,6 +1,33 @@ {% extends "layout.twig" %} {% block content %} + +
@@ -44,14 +71,9 @@ Редактировать -
- - - - -
+ {% endfor %} diff --git a/templates/servers/index.twig b/templates/servers/index.twig index 9920edb..713a142 100755 --- a/templates/servers/index.twig +++ b/templates/servers/index.twig @@ -1,6 +1,32 @@ {% extends "layout.twig" %} {% block content %} + +
@@ -52,14 +78,9 @@ Редактировать -
- - - - -
+ {% endfor %}