My Yii 2 application was progressing well until I received an unusual error bout a bad HTTP request.
HTTP 400 Unable to verify your data Submission.
I have looked it up and much of the literature indicates the cause being due to a CSRF issue. However, the CSRF components are all in place within the HTML head section and the hidden field is submitting the correct token.
Additional Info
Yii version = 2.0.12 App Basic
PHP version = 5.6
OS = Ubuntu
I have disabled all the security firmware of the host but I still get the error. Please help the site is in Prod already and I can not find how to solve this many thanks in advance.
web/config/main.php
$config = [
'components' => [
'session' => ['class' => 'yii\web\DbSession'],
'request' => [
'cookieValidationKey' => 'AAOSL2no3kbkJwRA4CNwDuB5g5T5_58t',
],
'cache' => [
'class' => 'yii\caching\FileCache',
],
'user' => [
'identityClass' => 'app\models\User',
'enableAutoLogin' => true,
],
'errorHandler' => ['errorAction' => 'site/error'],
'log' => [
'traceLevel' => YII_DEBUG ? 3 : 0,
'targets' => [
[
'class' => 'yii\log\FileTarget',
'levels' => ['error', 'warning'],
],
],
],
'db' => $db,
'urlManager' => [
'enablePrettyUrl' => true,
'showScriptName' => false,
'rules' => [
],
],
],
'params' => $params,
];
if (YII_ENV_DEV) {
$config['bootstrap'][] = 'debug';
$config['modules']['debug'] = [
'class' => 'yii\debug\Module',
//'allowedIPs' => ['127.0.0.1', '::1'],
];
$config['bootstrap'][] = 'gii';
$config['modules']['gii'] = [
'class' => 'yii\gii\Module',
//'allowedIPs' => ['127.0.0.1', '::1'],
];
}
return $config;
As per Change Logs, BugFix and Enhancement related to CSRF cookie.
2.0.13 November 03, 2017 updates include
Bug #14542: Ensured only ASCII characters are in CSRF cookie value since binary data causes issues with ModSecurity and some browsers (samdark)
Enh #14087: Added yii\web\View::registerCsrfMetaTags() method that registers CSRF tags dynamically ensuring that caching doesn't interfere (RobinKamps).
2.0.14 February 18, 2018 updates include
Bug #15317: Regenerate CSRF token if an empty value is given
Enh #15496: (CVE-2018-6009): CSRF token is now regenerated on changing identity (samdark, rhertogh)(sammousa)
So update your framework to the latest version 2.0.14 use composer update via terminal inside your project root, once updated make sure you have the
<?= Html::csrfMetaTags () ?>
inside the <head> tag of the layout file you are using either main.php or any other custom name.
If still persist you can disable it for the specific action inside the beforeAction
public function beforeAction($action)
{
if ($action->id == 'action-name') {
$this->enableCsrfValidation = false;
}
return parent::beforeAction($action);
}
or for a specific controller by adding
public $enableCsrfValidation = false;
Add <?= Html::csrfMetaTags() ?> in your view, or add in layout(main.php)
Related
I am trying to use the yii2-queue
https://github.com/yiisoft/yii2-queue/blob/master/docs/guide/usage.md
It says:
In order to use the extension you have to configure it like the
following:
return [
'bootstrap' => [
'queue', // The component registers its own console commands
],
'components' => [
'queue' => [
'class' => \yii\queue\<driver>\Queue::class,
'as log' => \yii\queue\LogBehavior::class,
// Other driver options
],
],
];
My question is simple: In which PHP file, in which directory, should I put this code?
Note: I am using the Basic template.
For Yii2 Basic Template config/console.php
For Yii2 Advanced Template console/config/main.php
return [
'bootstrap' => [
'log',
'queue',
],
'components' => [
'queue' => [
'class' => \yii\queue\db\Queue::class,
'db' => 'db', // DB connection component or its config
'tableName' => '{{%queue}}', // Table name
'channel' => 'default', // Queue channel key
'mutex' => \yii\mutex\MysqlMutex::class, // Mutex that used to sync queries
'as log' => \yii\queue\LogBehavior::class,
// 'deleteReleased' => YII_ENV_PROD,
],
]
];
Refer Yii2 Queue extension guide
Add to the main.php file in backend or frond end you are using like this
'bootstrap' => ['log', 'queue'],
Add this to under component array
'queue' => [
'class' => Queue::class,
'db' => 'db', // DB connection component or its config
'tableName' => '{{%db_queue}}', // Table name
'channel' => 'default', // Queue channel key
'mutex' => MysqlMutex::class, // Mutex used to sync queries
]
To make it workfull you need to do same in console /config/main.php
file and run the command listen form documentaiton
It is very simple to configure it on yii2 basic, add the following configuration on config/web.php file, and for yii2 advanced if you are using frontend then add in frontend/config/main.php, if you are using backend then add to to backend/config.main.php.
Just like this
'components' => [
'request' => [
'cookieValidationKey' => 'htXdOInCiP6ut4gNbDO2',
'csrfParam' => '_frontendCSRF',
],
'queue' => [
'class' => \yii\queue\<driver>\Queue::class,
'as log' => \yii\queue\LogBehavior::class,
// Other driver options
],
]
I have been fighting with this problem for hours and cannot get through. I want to run API tests with Yii2 and (of course) Codeception. Here is my api.suite.yml
class_name: ApiTester
modules:
enabled:
- REST:
url: /mobile
depends: Yii2
part: Json
- \Helper\Api
config:
Yii2:
entryUrl: http://localhost:8080/index-test.php
and my test file UserLoginCept.php
<?php
$I = new ApiTester($scenario);
$I->wantTo('Test User Login');
$I->sendPOST('mobile/login', ['username' => 'uname', 'password' => '123456']);
$I->seeResponseCodeIs(\Codeception\Util\HttpCode::OK);
$I->seeResponseContainsJson(['success'=>true]);
Results are logged below. The problem is the Test is calling site/index which is in the root project not mobile module. I can sense that it is picking wrong URL somewhere as I cannot see any trace of the module being called. If I try URL on Browser it works fine
http://localhost:8080/index.php/mobile/api/login
{
"success": false,
"token": ""
}
can someone help me spot what am doing wrong? I have read as much as I could could not find the issue.
Codeception Results
$~ codecept --debug run api
Codeception PHP Testing Framework v2.2.10
Powered by PHPUnit 4.8.35 by Sebastian Bergmann and contributors.
Rebuilding ApiTester...
Api Tests (1) -----------------------------------------------------------------------------------------------------------------------------------------------------------------------
Modules: REST, Yii2, \Helper\Api
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
UserLoginCept: Test User Login
Signature: UserLoginCept
Test: tests/api/UserLoginCept.php
Scenario --
I send post "/mobile/api/login",{"username":"uname","password":"123456"}
[Request] POST /mobile/mobile/api/login {"username":"uname","password":"123456"}
[Request Headers] []
[yii\db\Connection::open] 'Opening DB connection: mysql:host=localhost;dbname=database_name'
ERROR
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
1) UserLoginCept: Test user login
Test tests/api/UserLoginCept.php
[Error] Call to a member function isAdmin() on null
Scenario Steps:
1. $I->sendPOST("/mobile/api/login",{"username":"uname","password":"123456"}) at tests/api/UserLoginCept.php:4
#1 /Users/hosanna/Projects/Volcano/WebApp/vendor/yiisoft/yii2/base/View.php:328
#2 /Users/hosanna/Projects/Volcano/WebApp/vendor/yiisoft/yii2/base/View.php:250
#3 /Users/hosanna/Projects/Volcano/WebApp/vendor/yiisoft/yii2/base/Controller.php:396
#4 /Users/hosanna/Projects/Volcano/WebApp/vendor/yiisoft/yii2/base/Controller.php:382
#5 /Users/hosanna/Projects/Volcano/WebApp/controllers/SiteController.php:74
#6 app\controllers\SiteController->actionIndex
#7 /Users/hosanna/Projects/Volcano/WebApp/vendor/yiisoft/yii2/base/InlineAction.php:57
#8 /Users/hosanna/Projects/Volcano/WebApp/vendor/yiisoft/yii2/base/Controller.php:156
#9 /Users/hosanna/Projects/Volcano/WebApp/vendor/yiisoft/yii2/base/Module.php:523
#10 /Users/hosanna/Projects/Volcano/WebApp/vendor/yiisoft/yii2/web/Application.php:102
<!DOCTYPE html>
<html lang="en-US">
..... rest of HTML.....
So here is how I solved it:
changed suite.api.yaml to use test-index.php
class_name: ApiTester
modules:
enabled:
- Yii2
- REST:
url: http://localhost:8080/index-test.php/mobile/
depends: Yii2
part: Json
configFile: 'config/test.php'
- \Helper\Api
config:
Yii2:
I then changed the config file referred by text-index (config/test.php) to include pretty URLs:
<?php
$params = require(__DIR__ . '/params.php');
$dbParams = require(__DIR__ . '/test_db.php');
/**
* Application configuration shared by all test types
*/
return [
'id' => 'basic-tests',
'basePath' => dirname(__DIR__),
'language' => 'en-US',
'modules' => [
'mobile' => [
'class' => 'app\modules\mobile\Module',
],
],
'components' => [
'db' => $dbParams,
'mailer' => [
'useFileTransport' => true,
],
'assetManager' => [
'basePath' => __DIR__ . '/../web/assets',
],
'urlManager' => [
'enablePrettyUrl' => true,
'enableStrictParsing' => false,
'showScriptName' => true,
'rules' => [
['class' => 'yii\rest\UrlRule', 'controller' => 'mobile/api'],
],
],
'user' => [
'identityClass' => 'app\modules\mobile\models\User',
],
'request' => [
'cookieValidationKey' => 'test',
'enableCsrfValidation' => false,
// but if you absolutely need it set cookie domain to localhost
/*
'csrfCookie' => [
'domain' => 'localhost',
],
*/
],
],
'params' => $params,
];
After that tests were running fine!
I have a yii2 basic application with 2 parts (web and service for mobile).
I have created a module to handle the restful requests fired from mobile . I want to configure this module to be rest. So I created a config file for this module in side the module directory. as mentioned in the yii2 documentation for modules
/config/config.php:
return [
'components' => [
'urlManager' => [
'class' => 'yii\web\UrlManager',
// Disable index.php
'showScriptName' => false,
// Disable r= routes
'enablePrettyUrl' => true,
'enableStrictParsing' => false,
'rules' => array(
[
'class' => 'yii\rest\UrlRule',
'controller' => 'mobile/mobile-clients',
'extraPatterns' => ['GET search' => 'search']
],
),
],
'request' => [
'class' => '\yii\web\Request',
'enableCookieValidation' => false,
'parsers' => [
'application/json' => 'yii\web\JsonParser',
],
],
]
];
the module class is as follows:
<?php
namespace app\modules\Mobile;
use Yii;
use yii\base\Module;
class MobileService extends Module {
public $controllerNamespace = 'app\modules\Mobile\controllers';
public function init() {
parent::init();
Yii::configure($this, require(__DIR__ .DIRECTORY_SEPARATOR
.'config'.DIRECTORY_SEPARATOR .'config.php'));
}
}
The problem is that the request component is not working as expected while it works fine when configured in the application configuration (config/main.php)
same for the urlManager.
Any Ideas?
The Solution to my problem is to create api application that is a new application inside the yii2 basic app. It shares the models and the vendors directory but has its own configuration and entry script (index.php). This is the solution link for more information .
EDIT:
Do not forget to add the user component in the api.config file
'user' => [
'identityClass' => 'app\models\User',
'enableAutoLogin' => false,
],
I think using yii2 advanced application structure is better for a case like mine. But this solution works perfect :) .
Best.
Simple question, trying to enable remote access to gii in yii 2 - docs say http://www.yiiframework.com/doc-2.0/guide-start-gii.html
Note: If you are accessing Gii from a machine other than localhost, the access will be denied by default for security purpose. You can configure Gii to add the allowed IP addresses as follows,
'gii' => [
'class' => 'yii\gii\Module',
'allowedIPs' => ['127.0.0.1', '::1', '192.168.0.*', '192.168.178.20'] // adjust this to your needs
],
Thing is, it doesn't say where to add this - guesing config/web.php
But under what section?
2 places you need to add this.
Usually it is done like this in your main-local.php
if (!YII_ENV_TEST) {
$config['bootstrap'][] = 'gii';
$config['modules']['gii'] = [
'class' => 'yii\gii\Module',
];
}
So you need to add gii in the bootstrap section of the config and in the modules section. This will turn basically append them to the array from your config/main.php
return [
'id' => 'app-backend',
'basePath' => dirname(DIR),
'controllerNamespace' => 'backend\controllers',
'bootstrap' => ['log'],
'modules' => [
],
],
On the link you gave, take a look above. You should do:
if (YII_ENV_DEV) {
$config['bootstrap'][] = 'gii';
$config['modules']['gii'] = [
'class' => 'yii\gii\Module',
'allowedIPs' => ['127.0.0.1', '::1', '192.168.0.*', '192.168.178.20'] // adjust this to your needs
];
}
I trying to access frontend/web from backend menu using alias
yii:yii2 advanced
webserver : XAMPP
IDE:net beans
codes I modified:
C:\xampp\htdocs\advanced\common\config\aliases.php
Yii::setAlias('fronthome', dirname(dirname(__DIR__)) . '/frontend/web/');
C:\xampp\htdocs\advanced\backend\views\layouts\main.php
if (Yii::$app->user->isGuest) {
$menuItems[] = ['label' => 'Login', 'url' => ['/site/login']];
$menuItems[] = ['label' => 'fronthome', 'url' => Yii::getAlias('#fronthome')];
but when accessing "fronthome" menu via backend menu; browser was returning the url:
http://localhost/advanced/backend/web/C:/xampp/htdocs/advanced/frontend/web
what i wanted browser to give:
http://localhost/advanced/frontend/web/
can some one please put some light... I searched but there was no elegant solution which I could find via alias.
Thanks
I got it working by making the below change
C:\xampp\htdocs\advanced\common\config\aliases.php
Yii::setAlias('fronthome', dirname(dirname(__DIR__)) . '/frontend/web/');
to
Yii::setAlias('fronthome', '../../frontend/web/');
As the links in the comments are outdated here is a snippet from the Yii2 docs:
Creating links from backend to frontend
Often it's required to create links from the backend application to the frontend application. Since the frontend application may contain its own URL manager rules you need to duplicate that for the backend application by naming it differently:
return [
'components' => [
'urlManager' => [
// here is your normal backend url manager config
],
'urlManagerFrontend' => [
// here is your frontend URL manager config
],
],
];
//After it is done, you can get an URL pointing to frontend like the following:
echo Yii::$app->urlManagerFrontend->createUrl(...);
current link to copy of relevant doc: https://yii2-framework.readthedocs.io/en/stable/guide/tutorial-advanced-app/
The way I have implemented this is to add a switch to my backend/config/bootstrap.php
switch (YII_ENV) {
case 'dev':
$frontend = 'https://my-domain.lan/';
break;
case 'test':
$frontend = 'https://my-domain.test/';
break;
case 'prod':
$frontend = 'https://my-domain.com/';
break;
}
and then in my backend/config/main.php I added the following
'urlManagerFrontend' => [
'class' => UrlManager::className(),
'enablePrettyUrl' => true,
'showScriptName' => false,
'baseUrl' => $frontend,
'rules' => [
'<controller:\w+>/<id:\d+>' => '<controller>/view',
'<controller:\w+>/<action:\w+>/<id:\d+>' => '<controller>/<action>',
'<controller:\w+>/<action:\w+>' => '<controller>/<action>',
]
],
and then where I want to use the frontend link:
echo Html::a('link',Yii::$app->urlManagerFrontend->createUrl('controller/view'))
Try using params.php
Add a key on params.php on your common/config folder
'frontendUrl' => 'http://frontendUrl/',
Then you could access it anywhere on your view by:
<?= Yii::$app->params['frontendUrl'] ?>
Hope this helps :)