What should be the value of token for cakephp JWT authentication from android app?

0
votes

I'm using JWT auth in CakePHP to handle login action in Android App. I have disabled CSRF protection in Cake and passing token value through "SharedPreferencesConstants" class where token value is set using the code shown below:

    // Running default handler
    new Handler().post(new Runnable() {
        @Override
        public void run() {
            fcm = new MyFireBaseIntanceIdservice();
            String token = fcm.getrefeshtoken();
            // Log.e("test", token);
            SharedPreferencesConstants.setTOKEN(LoginActivity.this, token);
        }
    });

I have tried playing a bit with the token value, however.

The error I am getting as of now is "Error: [Cake\Http\Exception\InvalidCsrfTokenException] Missing CSRF token cookie".

The approaches I have tried so far is disabling the CSRF protection into Cake's AppController.

            EditText txtEmail = (EditText) findViewById(R.id.txtEmail);
            EditText txtPassword = (EditText) findViewById(R.id.txtPassword);
            jsonObject.put("email", txtEmail.getText().toString());
            jsonObject.put("password", txtPassword.getText().toString());
            jsonObject.put("cookieName", "appname");
            jsonObject.put("_Token", "_csrfToken");
            jsonObject.put("deviceToken", SharedPreferencesConstants.getTOKEN(this));
            jsonObject.put("secureKey", SharedPreferencesConstants.getSECUREKEY(this));

A thought that came through my mind as a projected solution is related to HTTP header to be passed in request. But, I couldn't locate any solution for this thought.

Any solution/suggestions?

Edit #1: On my AppController.php file, I have loaded only Security Component, not CSRF. Here is the code for same: 

    $this->loadComponent('Security');
    // $this->loadComponent('Csrf');

And, code which I do have on my CustomersController.php beforeFilter() function is: 

    $this->getEventManager()->off($this->Csrf);

The JWT Auth code, I am having in my AppController is: 

    $this->loadComponent('Auth', [
        'storage' => 'Memory',
        'authenticate' => [
            'ADmad/JwtAuth.Jwt' => [
                'userModel' => 'Customers',
                'fields' => [
                    'username' => 'email'
                ],

                'parameter' => 'token',

                // Boolean indicating whether the "sub" claim of JWT payload
                // should be used to query the Users model and get user info.
                // If set to `false` JWT's payload is directly returned.
                'queryDatasource' => false,
            ],
            'unauthorizedRedirect' => false,
            'checkAuthIn' => 'Controller.initialize',

            // If you don't have a login action in your application set
            // 'loginAction' to false to prevent getting a MissingRouteException.
            'loginAction' => false
        ],
    ]);

I hope the new code, I've added might help you to get a better picture of the problem.

1
androidcakephpcakephp-3.0csrf
If it's complaining about the CSRF token cookie being missing, that means it's looking for the cookie, which means that CSRF checking is enabled somewhere in your code. - Greg Schmidt
@GregSchmidt I have disabled it using this line of code in my CustomersController's beforeFilter function. $this->eventManager()->off($this->Csrf); If you have any other suggestion regarding disabling it, plz let me know. FYI: I've tried following this stackoverflow answer link to answer - meDeepakJain
Cake does not, by default, do any CSRF checking. It is only by adding the component or the middleware that this is enabled. So, if it's checking it, then that means it's been enabled somewhere in your code. Maybe search through all your code for "CSRF" and see if it's somewhere you haven't looked previously? - Greg Schmidt
Thanks @GregSchmidt ! I got the solution of this problem. I'll post the solution as answer. Thanks mate for your help! :) - meDeepakJain

1 Answers

0
votes

I got the answer for this problem. And, all thanks goes to @GregSchmidt. It's because of his kind suggestions. So, here is what I did.

There were few lines of code in my routes.php file under config folder which I commented all through. Below are the lines of code : 

$routes->registerMiddleware('csrf', new CsrfProtectionMiddleware([
    'httpOnly' => true
]));

And 

$routes->applyMiddleware('csrf');

Finally, I removed all my Csrf disabling codes from Controllers and the magic finally happened. :)