fix mvc sample (csrf protection was broken after a forward)

src/opnsense/mvc/app/controllers/OPNsense/Base/ControllerBase.php

@@ -68,35 +68,35 @@ class ControllerBase extends Controller
      */
     public function beforeExecuteRoute($dispatcher)
     {
-        // Authentication
-        // - use authentication of legacy OPNsense.
-        if ($this->session->has("Username") == false) {
-            $this->response->redirect("/", true);
-        }
-        // check for valid csrf on post requests
-        if ($this->request->isPost() && !$this->security->checkToken()) {
-            // post without csrf, exit.
-            return false;
+        // only handle input validation on first request.
+        if (!$dispatcher->wasForwarded()) {
+            // Authentication
+            // - use authentication of legacy OPNsense.
+            if ($this->session->has("Username") == false) {
+                $this->response->redirect("/", true);
+            }
+            // check for valid csrf on post requests
+            if ($this->request->isPost() && !$this->security->checkToken()) {
+                // post without csrf, exit.
+                return false;
+            }
+
+            // REST type calls should be implemented by inheriting ApiControllerBase.
+            // because we don't check for csrf on these methods, we want to make sure these aren't used.
+            if ($this->request->isHead() ||
+                $this->request->isPut() ||
+                $this->request->isDelete() ||
+                $this->request->isPatch() ||
+                $this->request->isOptions()) {
+                throw new \Exception('request type not supported');
+            }
         }
 
-        // REST type calls should be implemented by inheriting ApiControllerBase.
-        // because we don't check for csrf on these methods, we want to make sure these aren't used.
-        if ($this->request->isHead() ||
-            $this->request->isPut() ||
-            $this->request->isDelete() ||
-            $this->request->isPatch() ||
-            $this->request->isOptions()) {
-            throw new \Exception('request type not supported');
-        }
-
-        // include csrf for GET requests.
-        if ($this->request->isGet()) {
-            // inject csrf information
-            $this->view->setVars([
-                'csrf_tokenKey' => $this->security->getTokenKey(),
-                'csrf_token' => $this->security->getToken()
-            ]);
-        }
+        // include csrf for volt view rendering.
+        $this->view->setVars([
+            'csrf_tokenKey' => $this->security->getTokenKey(),
+            'csrf_token' => $this->security->getToken()
+        ]);
 
         // Execute before every found action
         $this->view->setVar('lang', $this->getTranslator());

src/opnsense/mvc/app/controllers/OPNsense/Sample/Api/IndexController.php

@@ -41,8 +41,8 @@ class IndexController extends ApiControllerBase
      */
     public function indexAction()
     {
-        if ($this->request->hasPut("message")) {
-            $message = $this->request->getPut("message");
+        if ($this->request->hasPost("message")) {
+            $message = $this->request->getPost("message");
         } else {
             $message = " " ;
         }

src/opnsense/mvc/app/views/OPNsense/Sample/index.volt

@@ -19,14 +19,13 @@ API call result : <div id="msgid"></div>
 
     $( "#restcall" ).click( function() {
         $.ajax({
-            type: "PUT",
+            type: "POST",
             url: "/api/sample/",
             success: function(data){
                 $("#msgid").html( data.message );
             },
             data:{message:$("#msg").val()}
         });
-
     });
 
 </script>