Written by amodsachintha
on May 10, 2018

Environment Setup for OAuth and XSRF Demonstrations

Introduction

The implementations described in the previous posts listed below were implemented in the Laravel PHP Framework environment within the Apache web server.

XSRF (CSRF) Protection – Double Submit Cookie

XSRF (CSRF) Protection – Synchronizer Token Pattern

Demonstrating OAuth 2.0 using Facebook’s Graph API

Method

The basic environment setup is as follows.

Installing and configuring Apache and enabling SSL is a prerequisite.

Get Composer, a dependency management software for developers (including, but not limited to php) from here.

Create a new Laravel Application using the following command. Make sure to browse into the Document Root of the web server before executing the following command.

composer create-project --prefer-dist laravel/laravel oauth

This will download the Laravel Framework and configure it to run.

Edit the hosts file in Windows to add local DNS resolution for easy usage.

C:\Windows\System32\drivers\etc\hosts
127.0.0.1 www.oauthtest.lk

Add a Virtual Host entry in the Apache Server config for SSL

[caption id="attachment_453" align="aligncenter" width="611"] httpd-ssl.conf for the Apache 2.18 server[/caption]

Laravel by default has CSRF Protection enabled using the Synchronizer Token pattern. It would throw exceptions if CSRF token validations failed. Therefore, since we are implementing our OWN CSRF protection functionality, make sure to disable the VerifyCsrfToken class from the HTTP middleware.

C:\Wamp64\www\oauth\app\Http\Kernel.php

[caption id="attachment_454" align="aligncenter" width="528"] Kernel.php VerifyCsrfToken class is commented out[/caption]

For CSRF Protection functionality to work, a user must be first authenticated with the site. Therefore, a simple form of hard-coded credentials in the JSON format was used to implement a LocalLogin class that would authenticate a user.

The users.json file is as follows. Note that the password field is md5 hashed.

[caption id="attachment_457" align="aligncenter" width="433"] user_json users.json[/caption]

The login controller, LocalLogin.php was implemented as follows.

[caption id="attachment_458" align="aligncenter" width="650"] local_login LocalLogin::class[/caption]

The user credentials are read from users.json and is checked against the request data from the login form.

[caption id="attachment_459" align="aligncenter" width="432"] login Login page[/caption]

Once the user credentials match, a session is created and a session cookie is set.

← → Top