richwalker Posted September 1, 2015 Report Share Posted September 1, 2015 Hi I am trying to find the secure way of having a domain name checker on our main site and post in the domain name order form. I know i can disable the CSRF but this isn't recommended. Can we have a secure way of doing this please? Quote Link to comment Share on other sites More sharing options...
PauloV Posted September 2, 2015 Report Share Posted September 2, 2015 I have tried in 2 situation but no luck, I can retive sucessful retive a valid token in the 2 situations, to bypass the token check, but still shows erros validating the view: Situation one using curl, like this: <!DOCTYPE html> <html dir="ltr"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>Domain Form Exemple</title> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <link rel="stylesheet" href="//maxcdn.bootstrapcdn.com/bootstrap/3.3.4/css/bootstrap.min.css"> <link rel="stylesheet" href="//maxcdn.bootstrapcdn.com/font-awesome/4.3.0/css/font-awesome.min.css"> <!--[if lt IE 9]> <script type='text/javascript' src="//cdnjs.cloudflare.com/ajax/libs/modernizr/2.7.1/modernizr.min.js"></script> <script type='text/javascript' src="//www.weblx.pt/js/css3-mediaqueries.js"></script> <script type='text/javascript' src="//html5shiv.googlecode.com/svn/trunk/html5.js"></script> <script type='text/javascript' src="//cdnjs.cloudflare.com/ajax/libs/respond.js/1.4.2/respond.js"></script> <![endif]--> <style type="text/css"> div.c1 {margin-top: 50px} </style> </head> <body> <div class="row col-md-8 col-md-offset-2 whois c1"> <?php $blesta_order_form_url = "http://[your-blesta-order-form-url]"; function Get_Domain_Contents($url){ // get the html content from the blesta order from $ch = curl_init(); curl_setopt($ch,CURLOPT_URL,$url); curl_setopt($ch,CURLOPT_RETURNTRANSFER,1); curl_setopt($ch,CURLOPT_CONNECTTIMEOUT,5); curl_setopt($ch, CURLOPT_TIMEOUT, 10); $data = curl_exec($ch); curl_close($ch); // fectch the input token from the html content $pattern = '/<input type="hidden" name="_csrf_token" value="(.*?)" \/>/'; preg_match($pattern, $data, $matches); //return only the token string return $matches[1]; } // initiate the call to the function to get the token from blesta order form $token = Get_Domain_Contents($blesta_order_form_url); ?> <form method="post" action="<?php echo blesta_order_form_url;?>"> <input type="hidden" name="_csrf_token" value="<?php echo $token;?>" /> <div class="well well-order"> <div class="form-group"> <input type="text" name="domain" value="" placeholder="yourdomain.com" class= "form-control input-md"> </div> <div class="form-group tlds"> <label class="checkbox-inline"><input type="checkbox" name="tlds[]" value=".com"> .com</label> </div> </div> <div class="search btn-group"> <button class="btn btn-default" type="submit" name="lookup" value="1">Check Availability</button> <button class="btn btn-default" type="submit" name="transfer" value="1"> Transfer</button> <a href="<?php echo $blesta_order_form_url;?>/?skip=true" class="btn btn-default"> Skip, Order Other Items</a> </div> </form> </div> </body> </html> Situation 2 using this method to get the token (http://www.blesta.com/forums/index.php?/topic/1107-login-and-redirect-client-user-from-custom-website-to-billing-website/#entry9077) also no luck: <!DOCTYPE html> <html dir="ltr"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>Domain Form Exemple</title> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <link rel="stylesheet" href="//maxcdn.bootstrapcdn.com/bootstrap/3.3.4/css/bootstrap.min.css"> <link rel="stylesheet" href="//maxcdn.bootstrapcdn.com/font-awesome/4.3.0/css/font-awesome.min.css"> <!--[if lt IE 9]> <script type='text/javascript' src="//cdnjs.cloudflare.com/ajax/libs/modernizr/2.7.1/modernizr.min.js"></script> <script type='text/javascript' src="//www.weblx.pt/js/css3-mediaqueries.js"></script> <script type='text/javascript' src="//html5shiv.googlecode.com/svn/trunk/html5.js"></script> <script type='text/javascript' src="//cdnjs.cloudflare.com/ajax/libs/respond.js/1.4.2/respond.js"></script> <![endif]--> <style type="text/css"> div.c1 {margin-top: 50px} </style> </head> <body> <div class="row col-md-8 col-md-offset-2 whois c1"> <?php require_once "api/blesta_api.php"; //your blesta api sdk path get from here https://github.com/phillipsdata/blesta_sdk $blesta_order_form_url = "http://[your-blesta-order-form-url]"; $user = "[your-blesta-api-username]"; $key = "[your-blesta-api-password]"; $url = "http://[your-blesta-order-form-url]/api/"; $api = new BlestaApi($url, $user, $key); $token = $api->get("custom.custom_api", "getCsrf")->response(); // this is a custom plugin just folow this steps to implement ?> <form method="post" action="<?php echo $blesta_order_form_url; ?>"> <input type="hidden" name="_csrf_token" value="<?php echo $token;?>" /> <div class="well well-order"> <div class="form-group"> <input type="text" name="domain" value="" placeholder="yourdomain.com" class= "form-control input-md"> </div> <div class="form-group tlds"> <label class="checkbox-inline"><input type="checkbox" name="tlds[]" value=".com"> .com</label> </div> </div> <div class="search btn-group"> <button class="btn btn-default" type="submit" name="lookup" value="1">Check Availability</button> <button class="btn btn-default" type="submit" name="transfer" value="1"> Transfer</button> <a href="<?php echo $blesta_order_form_url;?>/?skip=true" class="btn btn-default"> Skip, Order Other Items</a> </div> </form> </div> </body> </html> Blesta is validating something ele that is missing my eyes lol The error is still this: Oh noes! Files does not exist: /home/[my-folder]/public_html/dev/plugins/order/views/client/bootstrap/message.pdt on line 120 in /home/[my-folder]/public_html/dev/lib/view.php Printing Stack Trace: #0 /home/[my-folder]/public_html/dev/lib/controller.php(197): View->fetch('message', 'client/bootstra...') #1 /home/[my-folder]/public_html/dev/app/app_controller.php(0): Controller->partial() #2 /home/[my-folder]/public_html/dev/app/app_controller.php(0): AppController->setMessage() #3 /home/[my-folder]/public_html/dev/app/app_controller.php(0): AppController->verifyCsrfToken() #4 /home/[my-folder]/public_html/dev/plugins/order/order_controller.php(15): AppController->preAction() #5 /home/[my-folder]/public_html/dev/plugins/order/order_form_controller.php(38): OrderController->preAction() #6 /home/[my-folder]/public_html/dev/plugins/order/controllers/config.php(17): OrderFormController->preAction() #7 /home/[my-folder]/public_html/dev/lib/dispatcher.php(102): Config->preAction() #8 /home/[my-folder]/public_html/dev/index.php(21): Dispatcher::dispatch('/order/config/p...') #9 {main} I have told Richard to implement the easy way, with the disable tokens from blesta.php config file and works great, but with tokens something is missing Any help Cody/Tyson/Paul? Thanks in advance, PV Blesta Addons 1 Quote Link to comment Share on other sites More sharing options...
Blesta Addons Posted September 2, 2015 Report Share Posted September 2, 2015 because the token is valid for the curent session , so when you fetch it via curl is a session different from the client sessions public function getCsrfToken($key = null) { $session_id = session_id(); if ($key == null) $key = $this->csrf_token_key; // Prefer computing CSRF using HMAC if (function_exists("hash_hmac")) return hash_hmac("sha256", $session_id, $key); // Sha256 hash is the next best thing if (function_exists("hash")) return hash("sha256", $key . $session_id); // Regretably, fallback to md5 return md5($key . $session_id); } PauloV 1 Quote Link to comment Share on other sites More sharing options...
Blesta Addons Posted September 3, 2015 Report Share Posted September 3, 2015 @PauloV have you tried with this case . http://www.blesta.com/forums/index.php?/topic/3562-initiate-blesta-core-in-external-location/ activa 1 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.