Extension - expose unauthenticated endpoint

stan911

New Member
Is there a way to register a route for an extension, which doesn't require authentication? Eg:

Yii::app()->urlManager->addRules(array(
array('ext_webhook_index', 'pattern' => 'extensions/webhook/'),
));
and then the resulting url, backend/index.php/webhook/index to not require authentication.

I'm interesting on receiving some data from a web hook, from a third-party application.
 

twisted1919

Administrator
Staff member
@stan911 - Yes there is, just register your route in the unprotected controllers list before, like:
PHP:
// set the controller unprotected
$unprotected = (array)Yii::app()->params->itemAt('unprotectedControllers');
array_push($unprotected, 'ext_webhook_index');
Yii::app()->params->add('unprotectedControllers', $unprotected);

// your route registration.
Yii::app()->urlManager->addRules(array(
    array('ext_webhook_index', 'pattern' => 'extensions/webhook/'),
));
 

stan911

New Member
@twisted1919 I have to get back to this. It works fine for GET requests. For POST requests it's trowing me an http 400 with the message "Error 400! The CSRF token could not be verified.". I've tried to find a way to disable CSRF validation at action level within the extension, but I cannot find a way to apply inside the extension.
Any suggestions on how to disable CSRF validation at controller OR controller's action level?
 

twisted1919

Administrator
Staff member
Yup, do:
PHP:
// remove the csrf token validation
$request = Yii::app()->request;
if ($request->isPostRequest && $request->enableCsrfValidation) {
    $url = Yii::app()->urlManager->parseUrl($request);
    $routes = array('ext_webhook_index');
    foreach ($routes as $route) {
        if (strpos($url, $route) === 0) {
            Yii::app()->detachEventHandler('onBeginRequest', array($request, 'validateCsrfToken'));
            Yii::app()->attachEventHandler('onBeginRequest', array($this, 'validateCsrfToken'));
            break;
        }   
    }
}
 
Top