richwalker Posted September 1, 2015 Report Posted September 1, 2015 Hi I am trying to find the secure way of having a domain name checker on our main site and post in the domain name order form. I know i can disable the CSRF but this isn't recommended. Can we have a secure way of doing this please? Quote
PauloV Posted September 2, 2015 Report Posted September 2, 2015 I have tried in 2 situation but no luck, I can retive sucessful retive a valid token in the 2 situations, to bypass the token check, but still shows erros validating the view: Situation one using curl, like this: <!DOCTYPE html> <html dir="ltr"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>Domain Form Exemple</title> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <link rel="stylesheet" href="//maxcdn.bootstrapcdn.com/bootstrap/3.3.4/css/bootstrap.min.css"> <link rel="stylesheet" href="//maxcdn.bootstrapcdn.com/font-awesome/4.3.0/css/font-awesome.min.css"> <!--[if lt IE 9]> <script type='text/javascript' src="//cdnjs.cloudflare.com/ajax/libs/modernizr/2.7.1/modernizr.min.js"></script> <script type='text/javascript' src="//www.weblx.pt/js/css3-mediaqueries.js"></script> <script type='text/javascript' src="//html5shiv.googlecode.com/svn/trunk/html5.js"></script> <script type='text/javascript' src="//cdnjs.cloudflare.com/ajax/libs/respond.js/1.4.2/respond.js"></script> <![endif]--> <style type="text/css"> div.c1 {margin-top: 50px} </style> </head> <body> <div class="row col-md-8 col-md-offset-2 whois c1"> <?php $blesta_order_form_url = "http://[your-blesta-order-form-url]"; function Get_Domain_Contents($url){ // get the html content from the blesta order from $ch = curl_init(); curl_setopt($ch,CURLOPT_URL,$url); curl_setopt($ch,CURLOPT_RETURNTRANSFER,1); curl_setopt($ch,CURLOPT_CONNECTTIMEOUT,5); curl_setopt($ch, CURLOPT_TIMEOUT, 10); $data = curl_exec($ch); curl_close($ch); // fectch the input token from the html content $pattern = '/<input type="hidden" name="_csrf_token" value="(.*?)" \/>/'; preg_match($pattern, $data, $matches); //return only the token string return $matches[1]; } // initiate the call to the function to get the token from blesta order form $token = Get_Domain_Contents($blesta_order_form_url); ?> <form method="post" action="<?php echo blesta_order_form_url;?>"> <input type="hidden" name="_csrf_token" value="<?php echo $token;?>" /> <div class="well well-order"> <div class="form-group"> <input type="text" name="domain" value="" placeholder="yourdomain.com" class= "form-control input-md"> </div> <div class="form-group tlds"> <label class="checkbox-inline"><input type="checkbox" name="tlds[]" value=".com"> .com</label> </div> </div> <div class="search btn-group"> <button class="btn btn-default" type="submit" name="lookup" value="1">Check Availability</button> <button class="btn btn-default" type="submit" name="transfer" value="1"> Transfer</button> <a href="<?php echo $blesta_order_form_url;?>/?skip=true" class="btn btn-default"> Skip, Order Other Items</a> </div> </form> </div> </body> </html> Situation 2 using this method to get the token (http://www.blesta.com/forums/index.php?/topic/1107-login-and-redirect-client-user-from-custom-website-to-billing-website/#entry9077) also no luck: <!DOCTYPE html> <html dir="ltr"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>Domain Form Exemple</title> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <link rel="stylesheet" href="//maxcdn.bootstrapcdn.com/bootstrap/3.3.4/css/bootstrap.min.css"> <link rel="stylesheet" href="//maxcdn.bootstrapcdn.com/font-awesome/4.3.0/css/font-awesome.min.css"> <!--[if lt IE 9]> <script type='text/javascript' src="//cdnjs.cloudflare.com/ajax/libs/modernizr/2.7.1/modernizr.min.js"></script> <script type='text/javascript' src="//www.weblx.pt/js/css3-mediaqueries.js"></script> <script type='text/javascript' src="//html5shiv.googlecode.com/svn/trunk/html5.js"></script> <script type='text/javascript' src="//cdnjs.cloudflare.com/ajax/libs/respond.js/1.4.2/respond.js"></script> <![endif]--> <style type="text/css"> div.c1 {margin-top: 50px} </style> </head> <body> <div class="row col-md-8 col-md-offset-2 whois c1"> <?php require_once "api/blesta_api.php"; //your blesta api sdk path get from here https://github.com/phillipsdata/blesta_sdk $blesta_order_form_url = "http://[your-blesta-order-form-url]"; $user = "[your-blesta-api-username]"; $key = "[your-blesta-api-password]"; $url = "http://[your-blesta-order-form-url]/api/"; $api = new BlestaApi($url, $user, $key); $token = $api->get("custom.custom_api", "getCsrf")->response(); // this is a custom plugin just folow this steps to implement ?> <form method="post" action="<?php echo $blesta_order_form_url; ?>"> <input type="hidden" name="_csrf_token" value="<?php echo $token;?>" /> <div class="well well-order"> <div class="form-group"> <input type="text" name="domain" value="" placeholder="yourdomain.com" class= "form-control input-md"> </div> <div class="form-group tlds"> <label class="checkbox-inline"><input type="checkbox" name="tlds[]" value=".com"> .com</label> </div> </div> <div class="search btn-group"> <button class="btn btn-default" type="submit" name="lookup" value="1">Check Availability</button> <button class="btn btn-default" type="submit" name="transfer" value="1"> Transfer</button> <a href="<?php echo $blesta_order_form_url;?>/?skip=true" class="btn btn-default"> Skip, Order Other Items</a> </div> </form> </div> </body> </html> Blesta is validating something ele that is missing my eyes lol The error is still this: Oh noes! Files does not exist: /home/[my-folder]/public_html/dev/plugins/order/views/client/bootstrap/message.pdt on line 120 in /home/[my-folder]/public_html/dev/lib/view.php Printing Stack Trace: #0 /home/[my-folder]/public_html/dev/lib/controller.php(197): View->fetch('message', 'client/bootstra...') #1 /home/[my-folder]/public_html/dev/app/app_controller.php(0): Controller->partial() #2 /home/[my-folder]/public_html/dev/app/app_controller.php(0): AppController->setMessage() #3 /home/[my-folder]/public_html/dev/app/app_controller.php(0): AppController->verifyCsrfToken() #4 /home/[my-folder]/public_html/dev/plugins/order/order_controller.php(15): AppController->preAction() #5 /home/[my-folder]/public_html/dev/plugins/order/order_form_controller.php(38): OrderController->preAction() #6 /home/[my-folder]/public_html/dev/plugins/order/controllers/config.php(17): OrderFormController->preAction() #7 /home/[my-folder]/public_html/dev/lib/dispatcher.php(102): Config->preAction() #8 /home/[my-folder]/public_html/dev/index.php(21): Dispatcher::dispatch('/order/config/p...') #9 {main} I have told Richard to implement the easy way, with the disable tokens from blesta.php config file and works great, but with tokens something is missing Any help Cody/Tyson/Paul? Thanks in advance, PV Blesta Addons 1 Quote
Blesta Addons Posted September 2, 2015 Report Posted September 2, 2015 because the token is valid for the curent session , so when you fetch it via curl is a session different from the client sessions public function getCsrfToken($key = null) { $session_id = session_id(); if ($key == null) $key = $this->csrf_token_key; // Prefer computing CSRF using HMAC if (function_exists("hash_hmac")) return hash_hmac("sha256", $session_id, $key); // Sha256 hash is the next best thing if (function_exists("hash")) return hash("sha256", $key . $session_id); // Regretably, fallback to md5 return md5($key . $session_id); } PauloV 1 Quote
Blesta Addons Posted September 3, 2015 Report Posted September 3, 2015 @PauloV have you tried with this case . http://www.blesta.com/forums/index.php?/topic/3562-initiate-blesta-core-in-external-location/ activa 1 Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.