Magento 2.3 upgrade breaks HTTP POST requests to custom module endpoint The 2019 Stack Overflow Developer Survey Results Are InExternal Request - Invalid Form Key Magento 2.3How to bypass CSRF validation for certain requests like payment gateway webhook?magento2.3 controller won't handle post methodMagento 2.3 upgrade breaks HTTP POST requests to custom module endpoint - Is there a backwards compatible solution?How can i rewrite TierPrice Block in Magento2magento 2 captcha not rendering if I override layout xmlHow to introduce a new type for widget parameter in Magento2?main.CRITICAL: Plugin class doesn't existMagento 2 : Problem while adding custom button order view page?Magento 2.2.5: Overriding Admin Controller sales/orderMagento 2.2.5: Add, Update and Delete existing products Custom OptionsMagento 2.3 upgrade breaks HTTP POST requests to custom module endpoint - Is there a backwards compatible solution?How to bypass CSRF validation for certain requests like payment gateway webhook?Magento 2.3 upgrade compilation error
How do you keep chess fun when your opponent constantly beats you?
Is it okay to consider publishing in my first year of PhD?
How do PCB vias affect signal quality?
How to type a long/em dash `—`
Dropping list elements from nested list after evaluation
Likelihood that a superbug or lethal virus could come from a landfill
Can there be female White Walkers?
Can withdrawing asylum be illegal?
Can we generate random numbers using irrational numbers like π and e?
Ubuntu Server install with full GUI
Why isn't the circumferential light around the M87 black hole's event horizon symmetric?
How to notate time signature switching consistently every measure
Did Scotland spend $250,000 for the slogan "Welcome to Scotland"?
Is an up-to-date browser secure on an out-of-date OS?
Pokemon Turn Based battle (Python)
The phrase "to the numbers born"?
Is it ok to offer lower paid work as a trial period before negotiating for a full-time job?
Does adding complexity mean a more secure cipher?
Why can I use a list index as an indexing variable in a for loop?
Old scifi movie from the 50s or 60s with men in solid red uniforms who interrogate a spy from the past
Finding the area between two curves with Integrate
Loose spokes after only a few rides
What could be the right powersource for 15 seconds lifespan disposable giant chainsaw?
How to quickly solve partial fractions equation?
Magento 2.3 upgrade breaks HTTP POST requests to custom module endpoint
The 2019 Stack Overflow Developer Survey Results Are InExternal Request - Invalid Form Key Magento 2.3How to bypass CSRF validation for certain requests like payment gateway webhook?magento2.3 controller won't handle post methodMagento 2.3 upgrade breaks HTTP POST requests to custom module endpoint - Is there a backwards compatible solution?How can i rewrite TierPrice Block in Magento2magento 2 captcha not rendering if I override layout xmlHow to introduce a new type for widget parameter in Magento2?main.CRITICAL: Plugin class doesn't existMagento 2 : Problem while adding custom button order view page?Magento 2.2.5: Overriding Admin Controller sales/orderMagento 2.2.5: Add, Update and Delete existing products Custom OptionsMagento 2.3 upgrade breaks HTTP POST requests to custom module endpoint - Is there a backwards compatible solution?How to bypass CSRF validation for certain requests like payment gateway webhook?Magento 2.3 upgrade compilation error
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;
I have a custom module with a defined route as:
<config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="urn:magento:framework:App/etc/routes.xsd">
<router id="standard">
<route id="custom_module" frontName="custom-module">
<module name="Custom_Module" />
</route>
</router>
</config>
With previous versions of Magento both GET and POST requests would work fine to http://mywebsite.com/custom-module/controllername
After upgrading to Magento 2.3.0, GET requests still work as before, however POST requests now do not call the execute() method of the controller. Instead, they respond with a 200 OK and a response body that is the homepage html of the website.
Does this have to do with some Csrf security feature and form keys that was added in v2.3?
magento2 magento2.3
edited Dec 13 '18 at 4:39
Keyur Shah
13.3k24165
asked Dec 12 '18 at 17:54
snezsnez
2501211
add a comment |
I have a custom module with a defined route as:
<config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="urn:magento:framework:App/etc/routes.xsd">
<router id="standard">
<route id="custom_module" frontName="custom-module">
<module name="Custom_Module" />
</route>
</router>
</config>
With previous versions of Magento both GET and POST requests would work fine to http://mywebsite.com/custom-module/controllername
After upgrading to Magento 2.3.0, GET requests still work as before, however POST requests now do not call the execute() method of the controller. Instead, they respond with a 200 OK and a response body that is the homepage html of the website.
Does this have to do with some Csrf security feature and form keys that was added in v2.3?
magento2 magento2.3
edited Dec 13 '18 at 4:39
Keyur Shah
13.3k24165
asked Dec 12 '18 at 17:54
snezsnez
2501211
add a comment |
I have a custom module with a defined route as:
<config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="urn:magento:framework:App/etc/routes.xsd">
<router id="standard">
<route id="custom_module" frontName="custom-module">
<module name="Custom_Module" />
</route>
</router>
</config>
With previous versions of Magento both GET and POST requests would work fine to http://mywebsite.com/custom-module/controllername
After upgrading to Magento 2.3.0, GET requests still work as before, however POST requests now do not call the execute() method of the controller. Instead, they respond with a 200 OK and a response body that is the homepage html of the website.
Does this have to do with some Csrf security feature and form keys that was added in v2.3?
magento2 magento2.3
edited Dec 13 '18 at 4:39
Keyur Shah
13.3k24165
asked Dec 12 '18 at 17:54
snezsnez
2501211
I have a custom module with a defined route as:
<config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="urn:magento:framework:App/etc/routes.xsd">
<router id="standard">
<route id="custom_module" frontName="custom-module">
<module name="Custom_Module" />
</route>
</router>
</config>
With previous versions of Magento both GET and POST requests would work fine to http://mywebsite.com/custom-module/controllername
After upgrading to Magento 2.3.0, GET requests still work as before, however POST requests now do not call the execute() method of the controller. Instead, they respond with a 200 OK and a response body that is the homepage html of the website.
Does this have to do with some Csrf security feature and form keys that was added in v2.3?
magento2 magento2.3
magento2 magento2.3
edited Dec 13 '18 at 4:39
Keyur Shah
13.3k24165
asked Dec 12 '18 at 17:54
snezsnez
2501211
edited Dec 13 '18 at 4:39
Keyur Shah
13.3k24165
asked Dec 12 '18 at 17:54
snezsnez
2501211
edited Dec 13 '18 at 4:39
Keyur Shah
13.3k24165
edited Dec 13 '18 at 4:39
Keyur Shah
13.3k24165
edited Dec 13 '18 at 4:39
Keyur Shah
13.3k24165
13.3k24165
asked Dec 12 '18 at 17:54
snezsnez
2501211
asked Dec 12 '18 at 17:54
snezsnez
2501211
asked Dec 12 '18 at 17:54
snezsnez
2501211
2501211
add a comment |
add a comment |
4 Answers
4
active
oldest
votes
Found the solution, your controller must implement CsrfAwareActionInterface and 2 of its methods:
use MagentoFrameworkAppCsrfAwareActionInterface;
use MagentoFrameworkAppRequestInterface;
use MagentoFrameworkAppRequestInvalidRequestException;
class MyController extends MagentoFrameworkAppActionAction implements CsrfAwareActionInterface
public function createCsrfValidationException(RequestInterface $request): ?InvalidRequestException
return null;
public function validateForCsrf(RequestInterface $request): ?bool
return true;
This solves the problem, but is also backwards incompatible, i.e. your module will now not work on Magento 2.2 and earlier. To make it backwards compatible, something like the following is needed:
use MagentoFrameworkAppCsrfAwareActionInterface;
use MagentoFrameworkAppRequestInterface;
use MagentoFrameworkAppRequestInvalidRequestException;
if (interface_exists("MagentoFrameworkAppCsrfAwareActionInterface"))
include __DIR__ . "/MyController.m230.php";
else
include __DIR__ . "/MyController.m220.php";
Where you would have the full and correct class declaration in each of the two files.
answered Dec 18 '18 at 15:15
snezsnez
2501211
Working like a charm. this is what i am looking at.. thanks!!
– Pravin
Jan 12 at 15:44
Check this answer for backwards compatibility: magento.stackexchange.com/a/261410/74078
– gemig_hol
Mar 17 at 17:26
add a comment |
Please check more generous solution that does not change core functionality, you can use around plugin on Validate function of MagentoFrameworkAppRequestCsrfValidator class
This implementation does not break the core functionality of Magento 2.1/2.2/2.3 versions.
di.xml
<?xml version="1.0"?>
<config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="urn:magento:framework:ObjectManager/etc/config.xsd">
<type name="MagentoFrameworkAppRequestCsrfValidator">
<plugin name="csrf_validator_skip" type="ModuleVendorPluginCsrfValidatorSkip" />
</type>
</config>
CsrfValidatorSkip.php
<?php
namespace ModuleVendorPlugin;
class CsrfValidatorSkip
/**
* @param MagentoFrameworkAppRequestCsrfValidator $subject
* @param Closure $proceed
* @param MagentoFrameworkAppRequestInterface $request
* @param MagentoFrameworkAppActionInterface $action
*/
public function aroundValidate(
$subject,
Closure $proceed,
$request,
$action
)
if ($request->getModuleName() == 'Your_Module_frontName_Here')
return; // Skip CSRF check
$proceed($request, $action); // Proceed Magento 2 core functionalities
Please star me at https://gist.github.com/ananth-iyer/59ecfabcbca73d6c2e3eeb986ed2f3c4#file-csrfvalidatorskip-php-L9 to encourage.
answered Mar 27 at 7:44
AnanthMage2AnanthMage2
212
add a comment |
One could provide a compatible solution to PHP 7.1< & Mage 2.3< if they were to outsource the validator to a different class, e.g.
if (PHP_VERSION_ID < 70100)
class Index extends ExtendableMain
else
class Index extends ExtendableCsrCompatible
Where ExtendableMain has the logic for execute() and CsrCompatible can both extend ExtendableMain and implements CsrfAwareActionInterface. E.g:
class Main extends Action
execute() ...
And
class CsrCompatible extends Main implements CsrfAwareActionInterface
//interface functions
The 5.6-7.0 will just never go into the CsrCompatible and therefore not throw an exception when it sees the fancy ?bool code.
answered Feb 10 at 7:59
augsteyeraugsteyer
1914
add a comment |
Implement CsrfAwareActionInterface is a solution, but it makes the code not compatible with Magento < 2.3
Here is a trick (injecting the Key to the request on the Action) that is compatible with Magento 2.X
Put it in the constructor of the Action.
// CsrfAwareAction Magento2.3 compatibility
if (interface_exists("MagentoFrameworkAppCsrfAwareActionInterface"))
$request = $this->getRequest();
if ($request instanceof HttpRequest && $request->isPost() && empty($request->getParam('form_key')))
$formKey = $this->_objectManager->get(MagentoFrameworkDataFormFormKey::class);
$request->setParam('form_key', $formKey->getFormKey());
answered Feb 12 at 16:49
smartinsmartin
1267
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "479"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fmagento.stackexchange.com%2fquestions%2f253414%2fmagento-2-3-upgrade-breaks-http-post-requests-to-custom-module-endpoint%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
4 Answers
4
active
oldest
votes
4 Answers
4
active
oldest
votes
active
oldest
votes
active
oldest
votes
Found the solution, your controller must implement CsrfAwareActionInterface and 2 of its methods:
use MagentoFrameworkAppCsrfAwareActionInterface;
use MagentoFrameworkAppRequestInterface;
use MagentoFrameworkAppRequestInvalidRequestException;
class MyController extends MagentoFrameworkAppActionAction implements CsrfAwareActionInterface
public function createCsrfValidationException(RequestInterface $request): ?InvalidRequestException
return null;
public function validateForCsrf(RequestInterface $request): ?bool
return true;
This solves the problem, but is also backwards incompatible, i.e. your module will now not work on Magento 2.2 and earlier. To make it backwards compatible, something like the following is needed:
use MagentoFrameworkAppCsrfAwareActionInterface;
use MagentoFrameworkAppRequestInterface;
use MagentoFrameworkAppRequestInvalidRequestException;
if (interface_exists("MagentoFrameworkAppCsrfAwareActionInterface"))
include __DIR__ . "/MyController.m230.php";
else
include __DIR__ . "/MyController.m220.php";
Where you would have the full and correct class declaration in each of the two files.
answered Dec 18 '18 at 15:15
snezsnez
2501211
Working like a charm. this is what i am looking at.. thanks!!
– Pravin
Jan 12 at 15:44
Check this answer for backwards compatibility: magento.stackexchange.com/a/261410/74078
– gemig_hol
Mar 17 at 17:26
add a comment |
Found the solution, your controller must implement CsrfAwareActionInterface and 2 of its methods:
use MagentoFrameworkAppCsrfAwareActionInterface;
use MagentoFrameworkAppRequestInterface;
use MagentoFrameworkAppRequestInvalidRequestException;
class MyController extends MagentoFrameworkAppActionAction implements CsrfAwareActionInterface
public function createCsrfValidationException(RequestInterface $request): ?InvalidRequestException
return null;
public function validateForCsrf(RequestInterface $request): ?bool
return true;
This solves the problem, but is also backwards incompatible, i.e. your module will now not work on Magento 2.2 and earlier. To make it backwards compatible, something like the following is needed:
use MagentoFrameworkAppCsrfAwareActionInterface;
use MagentoFrameworkAppRequestInterface;
use MagentoFrameworkAppRequestInvalidRequestException;
if (interface_exists("MagentoFrameworkAppCsrfAwareActionInterface"))
include __DIR__ . "/MyController.m230.php";
else
include __DIR__ . "/MyController.m220.php";
Where you would have the full and correct class declaration in each of the two files.
answered Dec 18 '18 at 15:15
snezsnez
2501211
Working like a charm. this is what i am looking at.. thanks!!
– Pravin
Jan 12 at 15:44
Check this answer for backwards compatibility: magento.stackexchange.com/a/261410/74078
– gemig_hol
Mar 17 at 17:26
add a comment |
Found the solution, your controller must implement CsrfAwareActionInterface and 2 of its methods:
use MagentoFrameworkAppCsrfAwareActionInterface;
use MagentoFrameworkAppRequestInterface;
use MagentoFrameworkAppRequestInvalidRequestException;
class MyController extends MagentoFrameworkAppActionAction implements CsrfAwareActionInterface
public function createCsrfValidationException(RequestInterface $request): ?InvalidRequestException
return null;
public function validateForCsrf(RequestInterface $request): ?bool
return true;
This solves the problem, but is also backwards incompatible, i.e. your module will now not work on Magento 2.2 and earlier. To make it backwards compatible, something like the following is needed:
use MagentoFrameworkAppCsrfAwareActionInterface;
use MagentoFrameworkAppRequestInterface;
use MagentoFrameworkAppRequestInvalidRequestException;
if (interface_exists("MagentoFrameworkAppCsrfAwareActionInterface"))
include __DIR__ . "/MyController.m230.php";
else
include __DIR__ . "/MyController.m220.php";
Where you would have the full and correct class declaration in each of the two files.
answered Dec 18 '18 at 15:15
snezsnez
2501211
Found the solution, your controller must implement CsrfAwareActionInterface and 2 of its methods:
use MagentoFrameworkAppCsrfAwareActionInterface;
use MagentoFrameworkAppRequestInterface;
use MagentoFrameworkAppRequestInvalidRequestException;
class MyController extends MagentoFrameworkAppActionAction implements CsrfAwareActionInterface
public function createCsrfValidationException(RequestInterface $request): ?InvalidRequestException
return null;
public function validateForCsrf(RequestInterface $request): ?bool
return true;
This solves the problem, but is also backwards incompatible, i.e. your module will now not work on Magento 2.2 and earlier. To make it backwards compatible, something like the following is needed:
use MagentoFrameworkAppCsrfAwareActionInterface;
use MagentoFrameworkAppRequestInterface;
use MagentoFrameworkAppRequestInvalidRequestException;
if (interface_exists("MagentoFrameworkAppCsrfAwareActionInterface"))
include __DIR__ . "/MyController.m230.php";
else
include __DIR__ . "/MyController.m220.php";
Where you would have the full and correct class declaration in each of the two files.
answered Dec 18 '18 at 15:15
snezsnez
2501211
edited yesterday
answered Dec 18 '18 at 15:15
snezsnez
2501211
answered Dec 18 '18 at 15:15
snezsnez
2501211
answered Dec 18 '18 at 15:15
snezsnez
2501211
2501211
Working like a charm. this is what i am looking at.. thanks!!
– Pravin
Jan 12 at 15:44
Check this answer for backwards compatibility: magento.stackexchange.com/a/261410/74078
– gemig_hol
Mar 17 at 17:26
add a comment |
Working like a charm. this is what i am looking at.. thanks!!
– Pravin
Jan 12 at 15:44
Check this answer for backwards compatibility: magento.stackexchange.com/a/261410/74078
– gemig_hol
Mar 17 at 17:26
Working like a charm. this is what i am looking at.. thanks!!
– Pravin
Jan 12 at 15:44
Working like a charm. this is what i am looking at.. thanks!!
– Pravin
Jan 12 at 15:44
Check this answer for backwards compatibility: magento.stackexchange.com/a/261410/74078
– gemig_hol
Mar 17 at 17:26
Check this answer for backwards compatibility: magento.stackexchange.com/a/261410/74078
– gemig_hol
Mar 17 at 17:26
add a comment |
Please check more generous solution that does not change core functionality, you can use around plugin on Validate function of MagentoFrameworkAppRequestCsrfValidator class
This implementation does not break the core functionality of Magento 2.1/2.2/2.3 versions.
di.xml
<?xml version="1.0"?>
<config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="urn:magento:framework:ObjectManager/etc/config.xsd">
<type name="MagentoFrameworkAppRequestCsrfValidator">
<plugin name="csrf_validator_skip" type="ModuleVendorPluginCsrfValidatorSkip" />
</type>
</config>
CsrfValidatorSkip.php
<?php
namespace ModuleVendorPlugin;
class CsrfValidatorSkip
/**
* @param MagentoFrameworkAppRequestCsrfValidator $subject
* @param Closure $proceed
* @param MagentoFrameworkAppRequestInterface $request
* @param MagentoFrameworkAppActionInterface $action
*/
public function aroundValidate(
$subject,
Closure $proceed,
$request,
$action
)
if ($request->getModuleName() == 'Your_Module_frontName_Here')
return; // Skip CSRF check
$proceed($request, $action); // Proceed Magento 2 core functionalities
Please star me at https://gist.github.com/ananth-iyer/59ecfabcbca73d6c2e3eeb986ed2f3c4#file-csrfvalidatorskip-php-L9 to encourage.
answered Mar 27 at 7:44
AnanthMage2AnanthMage2
212
add a comment |
Please check more generous solution that does not change core functionality, you can use around plugin on Validate function of MagentoFrameworkAppRequestCsrfValidator class
This implementation does not break the core functionality of Magento 2.1/2.2/2.3 versions.
di.xml
<?xml version="1.0"?>
<config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="urn:magento:framework:ObjectManager/etc/config.xsd">
<type name="MagentoFrameworkAppRequestCsrfValidator">
<plugin name="csrf_validator_skip" type="ModuleVendorPluginCsrfValidatorSkip" />
</type>
</config>
CsrfValidatorSkip.php
<?php
namespace ModuleVendorPlugin;
class CsrfValidatorSkip
/**
* @param MagentoFrameworkAppRequestCsrfValidator $subject
* @param Closure $proceed
* @param MagentoFrameworkAppRequestInterface $request
* @param MagentoFrameworkAppActionInterface $action
*/
public function aroundValidate(
$subject,
Closure $proceed,
$request,
$action
)
if ($request->getModuleName() == 'Your_Module_frontName_Here')
return; // Skip CSRF check
$proceed($request, $action); // Proceed Magento 2 core functionalities
Please star me at https://gist.github.com/ananth-iyer/59ecfabcbca73d6c2e3eeb986ed2f3c4#file-csrfvalidatorskip-php-L9 to encourage.
answered Mar 27 at 7:44
AnanthMage2AnanthMage2
212
add a comment |
Please check more generous solution that does not change core functionality, you can use around plugin on Validate function of MagentoFrameworkAppRequestCsrfValidator class
This implementation does not break the core functionality of Magento 2.1/2.2/2.3 versions.
di.xml
<?xml version="1.0"?>
<config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="urn:magento:framework:ObjectManager/etc/config.xsd">
<type name="MagentoFrameworkAppRequestCsrfValidator">
<plugin name="csrf_validator_skip" type="ModuleVendorPluginCsrfValidatorSkip" />
</type>
</config>
CsrfValidatorSkip.php
<?php
namespace ModuleVendorPlugin;
class CsrfValidatorSkip
/**
* @param MagentoFrameworkAppRequestCsrfValidator $subject
* @param Closure $proceed
* @param MagentoFrameworkAppRequestInterface $request
* @param MagentoFrameworkAppActionInterface $action
*/
public function aroundValidate(
$subject,
Closure $proceed,
$request,
$action
)
if ($request->getModuleName() == 'Your_Module_frontName_Here')
return; // Skip CSRF check
$proceed($request, $action); // Proceed Magento 2 core functionalities
Please star me at https://gist.github.com/ananth-iyer/59ecfabcbca73d6c2e3eeb986ed2f3c4#file-csrfvalidatorskip-php-L9 to encourage.
answered Mar 27 at 7:44
AnanthMage2AnanthMage2
212
Please check more generous solution that does not change core functionality, you can use around plugin on Validate function of MagentoFrameworkAppRequestCsrfValidator class
This implementation does not break the core functionality of Magento 2.1/2.2/2.3 versions.
di.xml
<?xml version="1.0"?>
<config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="urn:magento:framework:ObjectManager/etc/config.xsd">
<type name="MagentoFrameworkAppRequestCsrfValidator">
<plugin name="csrf_validator_skip" type="ModuleVendorPluginCsrfValidatorSkip" />
</type>
</config>
CsrfValidatorSkip.php
<?php
namespace ModuleVendorPlugin;
class CsrfValidatorSkip
/**
* @param MagentoFrameworkAppRequestCsrfValidator $subject
* @param Closure $proceed
* @param MagentoFrameworkAppRequestInterface $request
* @param MagentoFrameworkAppActionInterface $action
*/
public function aroundValidate(
$subject,
Closure $proceed,
$request,
$action
)
if ($request->getModuleName() == 'Your_Module_frontName_Here')
return; // Skip CSRF check
$proceed($request, $action); // Proceed Magento 2 core functionalities
Please star me at https://gist.github.com/ananth-iyer/59ecfabcbca73d6c2e3eeb986ed2f3c4#file-csrfvalidatorskip-php-L9 to encourage.
answered Mar 27 at 7:44
AnanthMage2AnanthMage2
212
answered Mar 27 at 7:44
AnanthMage2AnanthMage2
212
answered Mar 27 at 7:44
AnanthMage2AnanthMage2
212
answered Mar 27 at 7:44
AnanthMage2AnanthMage2
212
212
add a comment |
add a comment |
One could provide a compatible solution to PHP 7.1< & Mage 2.3< if they were to outsource the validator to a different class, e.g.
if (PHP_VERSION_ID < 70100)
class Index extends ExtendableMain
else
class Index extends ExtendableCsrCompatible
Where ExtendableMain has the logic for execute() and CsrCompatible can both extend ExtendableMain and implements CsrfAwareActionInterface. E.g:
class Main extends Action
execute() ...
And
class CsrCompatible extends Main implements CsrfAwareActionInterface
//interface functions
The 5.6-7.0 will just never go into the CsrCompatible and therefore not throw an exception when it sees the fancy ?bool code.
answered Feb 10 at 7:59
augsteyeraugsteyer
1914
add a comment |
One could provide a compatible solution to PHP 7.1< & Mage 2.3< if they were to outsource the validator to a different class, e.g.
if (PHP_VERSION_ID < 70100)
class Index extends ExtendableMain
else
class Index extends ExtendableCsrCompatible
Where ExtendableMain has the logic for execute() and CsrCompatible can both extend ExtendableMain and implements CsrfAwareActionInterface. E.g:
class Main extends Action
execute() ...
And
class CsrCompatible extends Main implements CsrfAwareActionInterface
//interface functions
The 5.6-7.0 will just never go into the CsrCompatible and therefore not throw an exception when it sees the fancy ?bool code.
answered Feb 10 at 7:59
augsteyeraugsteyer
1914
add a comment |
One could provide a compatible solution to PHP 7.1< & Mage 2.3< if they were to outsource the validator to a different class, e.g.
if (PHP_VERSION_ID < 70100)
class Index extends ExtendableMain
else
class Index extends ExtendableCsrCompatible
Where ExtendableMain has the logic for execute() and CsrCompatible can both extend ExtendableMain and implements CsrfAwareActionInterface. E.g:
class Main extends Action
execute() ...
And
class CsrCompatible extends Main implements CsrfAwareActionInterface
//interface functions
The 5.6-7.0 will just never go into the CsrCompatible and therefore not throw an exception when it sees the fancy ?bool code.
answered Feb 10 at 7:59
augsteyeraugsteyer
1914
One could provide a compatible solution to PHP 7.1< & Mage 2.3< if they were to outsource the validator to a different class, e.g.
if (PHP_VERSION_ID < 70100)
class Index extends ExtendableMain
else
class Index extends ExtendableCsrCompatible
Where ExtendableMain has the logic for execute() and CsrCompatible can both extend ExtendableMain and implements CsrfAwareActionInterface. E.g:
class Main extends Action
execute() ...
And
class CsrCompatible extends Main implements CsrfAwareActionInterface
//interface functions
The 5.6-7.0 will just never go into the CsrCompatible and therefore not throw an exception when it sees the fancy ?bool code.
answered Feb 10 at 7:59
augsteyeraugsteyer
1914
answered Feb 10 at 7:59
augsteyeraugsteyer
1914
answered Feb 10 at 7:59
augsteyeraugsteyer
1914
answered Feb 10 at 7:59
augsteyeraugsteyer
1914
1914
add a comment |
add a comment |
Implement CsrfAwareActionInterface is a solution, but it makes the code not compatible with Magento < 2.3
Here is a trick (injecting the Key to the request on the Action) that is compatible with Magento 2.X
Put it in the constructor of the Action.
// CsrfAwareAction Magento2.3 compatibility
if (interface_exists("MagentoFrameworkAppCsrfAwareActionInterface"))
$request = $this->getRequest();
if ($request instanceof HttpRequest && $request->isPost() && empty($request->getParam('form_key')))
$formKey = $this->_objectManager->get(MagentoFrameworkDataFormFormKey::class);
$request->setParam('form_key', $formKey->getFormKey());
answered Feb 12 at 16:49
smartinsmartin
1267
add a comment |
Implement CsrfAwareActionInterface is a solution, but it makes the code not compatible with Magento < 2.3
Here is a trick (injecting the Key to the request on the Action) that is compatible with Magento 2.X
Put it in the constructor of the Action.
// CsrfAwareAction Magento2.3 compatibility
if (interface_exists("MagentoFrameworkAppCsrfAwareActionInterface"))
$request = $this->getRequest();
if ($request instanceof HttpRequest && $request->isPost() && empty($request->getParam('form_key')))
$formKey = $this->_objectManager->get(MagentoFrameworkDataFormFormKey::class);
$request->setParam('form_key', $formKey->getFormKey());
answered Feb 12 at 16:49
smartinsmartin
1267
add a comment |
Implement CsrfAwareActionInterface is a solution, but it makes the code not compatible with Magento < 2.3
Here is a trick (injecting the Key to the request on the Action) that is compatible with Magento 2.X
Put it in the constructor of the Action.
// CsrfAwareAction Magento2.3 compatibility
if (interface_exists("MagentoFrameworkAppCsrfAwareActionInterface"))
$request = $this->getRequest();
if ($request instanceof HttpRequest && $request->isPost() && empty($request->getParam('form_key')))
$formKey = $this->_objectManager->get(MagentoFrameworkDataFormFormKey::class);
$request->setParam('form_key', $formKey->getFormKey());
answered Feb 12 at 16:49
smartinsmartin
1267
Implement CsrfAwareActionInterface is a solution, but it makes the code not compatible with Magento < 2.3
Here is a trick (injecting the Key to the request on the Action) that is compatible with Magento 2.X
Put it in the constructor of the Action.
// CsrfAwareAction Magento2.3 compatibility
if (interface_exists("MagentoFrameworkAppCsrfAwareActionInterface"))
$request = $this->getRequest();
if ($request instanceof HttpRequest && $request->isPost() && empty($request->getParam('form_key')))
$formKey = $this->_objectManager->get(MagentoFrameworkDataFormFormKey::class);
$request->setParam('form_key', $formKey->getFormKey());
answered Feb 12 at 16:49
smartinsmartin
1267
answered Feb 12 at 16:49
smartinsmartin
1267
answered Feb 12 at 16:49
smartinsmartin
1267
answered Feb 12 at 16:49
smartinsmartin
1267
1267
add a comment |
add a comment |
Thanks for contributing an answer to Magento Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fmagento.stackexchange.com%2fquestions%2f253414%2fmagento-2-3-upgrade-breaks-http-post-requests-to-custom-module-endpoint%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
