CSRF Token API changes

INTRODUCTION

This note on API changes affect all applications that use FileCloud API using a Web Browser user agent.

Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated.

FileCloud 14.0 (planned for release in early January 2017) introduces API changes to add additional anti CSRF measures for all Web browser client API actions. 

What has Changed?

1) When a user authenticates using a web browser, an additional cookie is now set, which is called X-XSRF-TOKEN. The value of this cookie needs to be passed in as a HTTP Header ' X-XSRF-TOKEN' for all subsequent API calls.

2) All API calls using a web browser need to also set the X-Requested-With: XMLHttpRequest HTTP header.

How to modify your existing API Setup calls:

If you are using FileCloud API using a Web Browser HTTP agent here is what you have to do,

• Add the 'X-Requested-With: XMLHttpRequest' HTTP header to all calls made via a web browser
• Retrieve all the cookies when doing a login call in admin or user portal of FileCloud
• Get the Value of ‘X-XSRF-TOKEN’ cookie.
• On successfully getting the value of this token ‘X-XSRF-TOKEN’, pass this token in the headers section , while making any POST or GET calls in admin or user portal of FileCloud.
  
  

Eg:
$headers = array(
               'X-Requested-With: XMLHttpRequest',
               'X-XSRF-TOKEN: '. $this->xsrf_token,);
curl_setopt($this->curl_handle, CURLOPT_HTTPHEADER, $headers);

Disabling these checks for Backwards Compatibility:

To turn off CSRF security feature, open cloudconfig.php at

Windows Location: XAMPP DIRECTORY/htdocs/config/cloudconfig.php

Linux Location: /var/www/config/cloudconfig.php

and add the following to disable the checks temporarily.

 define("TONIDOCLOUD_CSRF_CHECK", 0);

Conclusion:

Adding these checks makes it harder for any CSRF attempts to succeed against FileCloud installations.