WEBVTT 00:00.290 --> 00:05.060 So the next middleware we can create is a cas ref middleware. 00:05.090 --> 00:09.770 So the automatic token verification there are a lot of benefits to that. 00:10.130 --> 00:14.390 We can for example remove this code from controllers. 00:14.390 --> 00:20.120 And the best thing is we won't have to remember about adding this verification. 00:20.180 --> 00:25.910 As you might remember that generating the token is just not enough. 00:25.910 --> 00:28.970 We need to actual CSRF verification. 00:29.120 --> 00:32.960 Otherwise, well, the protection just isn't there. 00:33.290 --> 00:40.910 So to be really safe for this verification, the CSRF protection to be well, to make a lot of sense, 00:41.210 --> 00:50.330 we should just create a middleware that is always run, because our implementation is also making sure 00:50.330 --> 00:56.360 that it is a Post request, or at least that it is not a Get request. 00:56.420 --> 00:58.520 So let me make this middleware. 00:58.520 --> 01:04.040 This is app Middlewares and the class name is CSRF. 01:04.070 --> 01:09.020 Or maybe instead I'm just going to copy an existing implementation. 01:12.140 --> 01:15.050 Like this one to make it quicker. 01:16.370 --> 01:18.350 So this one was called off. 01:18.350 --> 01:20.180 We don't need this name. 01:20.180 --> 01:22.040 This is CSS ref. 01:22.130 --> 01:27.950 We need to import the middleware interface and the implementation. 01:27.950 --> 01:31.400 We're going to move it from comment controller. 01:32.450 --> 01:36.200 So it needs to be removed from this file. 01:37.640 --> 01:40.280 It should now happen automatically. 01:44.840 --> 01:49.280 So we need to make sure that we've got the proper service class. 01:50.570 --> 01:52.970 So we've got this import with an alias. 01:53.000 --> 01:55.910 We also lack the router import. 01:56.150 --> 01:58.700 And I think it's everything that we need. 01:58.730 --> 02:02.900 We just need to verify if the token is valid. 02:03.020 --> 02:05.300 And display the page expired. 02:05.300 --> 02:10.590 If that's not the case let's go back to command controller. 02:10.620 --> 02:12.870 Let's make sure everything is saved. 02:13.170 --> 02:19.950 Next up, let me go to routes as that's the place where we register the middleware. 02:19.950 --> 02:27.210 And let me just add the global middleware that will be called CSF. 02:28.320 --> 02:32.610 We just pass the class name and we should be done. 02:32.610 --> 02:40.200 Now at this point every single form that we submit just needs to have a token generated like in this 02:40.200 --> 02:41.940 login form for example. 02:41.970 --> 02:49.530 Because if we won't have that then this verification should automatically fail. 02:50.460 --> 02:57.450 So before I test signing in, let me go to auth controller to just make sure we don't have the manual 02:57.450 --> 02:58.440 verification. 02:58.440 --> 02:59.490 We do. 02:59.520 --> 03:07.200 That's why I need to remove it first because the verification regenerates the token after we verify 03:07.200 --> 03:07.590 it. 03:07.590 --> 03:10.920 So if we do it twice well we should. 03:10.950 --> 03:16.410 Well we would never be verified because as soon as we verify, we regenerate the token. 03:16.410 --> 03:19.320 So the next verification fails. 03:19.410 --> 03:26.310 And as you see, we just removed the code, which is probably my favorite thing in coding. 03:26.310 --> 03:36.630 If I can remove the excessive code after this change, I should be safely signing in using my favorite 03:36.630 --> 03:37.440 account. 03:37.470 --> 03:41.100 Everything is fine, so it confirms we were well. 03:41.100 --> 03:43.950 We are verifying this CSRF token. 03:44.160 --> 03:51.420 Maybe I'm going to also remove it here and show you in the terminal that it is indeed run. 03:51.420 --> 03:52.890 Let's log out. 03:53.190 --> 03:55.020 And here's another problem. 03:55.020 --> 03:59.940 So the logout is sending a form. 04:02.070 --> 04:04.260 Okay so here is our logout button. 04:04.260 --> 04:09.330 And this means we need the CSRF token here as well. 04:10.260 --> 04:14.580 Otherwise signing on signing out won't work. 04:14.610 --> 04:15.900 Let me try again. 04:15.900 --> 04:20.250 Or maybe actually let's refresh the page and now log out. 04:20.250 --> 04:25.590 So as you see, every single form with a post method needs to have a token. 04:25.620 --> 04:27.390 Otherwise we have an issue. 04:27.450 --> 04:31.980 Now what I really didn't like the error that we've seen when we sign out. 04:31.980 --> 04:37.590 And this just stemmed from the lack of token that wasn't generated. 04:37.860 --> 04:45.420 So let's fix that so that we get a clear 419 page, not some random errors. 04:46.290 --> 04:50.160 So I think the issue was inside this verify method. 04:50.160 --> 04:56.940 And one of the functions I guess that was hash equals didn't like to get a null value. 04:56.970 --> 05:00.570 It just needs to have two strings. 05:00.570 --> 05:02.130 Let's fix this. 05:02.130 --> 05:09.780 So if we don't have a token, we default the token to null, which probably is a mistake. 05:09.810 --> 05:19.890 Let's make it the backup value of an empty string, and also if there is no token in the session, let's 05:19.890 --> 05:23.020 make sure it is an empty string instead. 05:23.020 --> 05:25.840 So not to compare two empty strings. 05:25.840 --> 05:33.880 If there is no token in the session and no token is sent through the form, let's first make sure this 05:33.880 --> 05:42.640 is not empty and empty string would return true when we call the empty function, so the token needs 05:42.640 --> 05:47.920 to be non empty only then we compare it with whatever is inside the session. 05:48.760 --> 05:56.440 I think it is much better now, so if I remove the token generated on this login form so we can test 05:56.440 --> 06:03.790 the functionality, we shouldn't have a token right now and we've got 419 automatically. 06:03.790 --> 06:06.520 This means we are not handling the token. 06:06.550 --> 06:08.020 Let me bring it back. 06:08.020 --> 06:13.870 And now I should be able to sign in sign out. 06:13.870 --> 06:22.450 And I should also be able to post a comment. 06:22.450 --> 06:26.920 And this user verification should automatically work.