Dr. Helga

Dilettanten, olé!

ExtJS: Preventing CSFR Attacks When Using Ext.Direct

When using Ext.Direct there is no out-of-the-box solution to send a token within the rpc call to prevent CSFR attacks, which in fact is a big security problem. To make Ext.Direct send a token, you have to override the getCallData method within the RemotingProvider:

Override Ext.direct.RemotingProvider
1
2
3
4
5
6
7
8
9
10
11
12
Ext.override(Ext.direct.RemotingProvider, {
  getCallData: function(transaction){
      return {
          action: transaction.action,
          method: transaction.method,
          data: transaction.data,
          type: 'rpc',
          tid: transaction.id,
          token: MyNamespace.PostToken
      };
  }
});

ExtJS: Add Operators and Types to Remote Sorting RPC Call

When trying to use the remote filtering feature for an Ext.direct Store I found that only the property and value properties of the filter got send to the server in the rpc call:

Calling code and the json send
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
//Example call:
var filter = Ext.create('Ext.util.Filter', {
  id: 'namefilter',
  property: 'name',
  value: 'somestring',
  type:'string',
  operator: '='
});
store.filter(filter);

//Json send to server:
filter: [
  {
    property: "name",
    value: "somestring"
  }
]

If you want to implement complex filtering functions on the server-side this is definitely not enough information.
To overcome this, you have to override the encodeFilters method in the server proxy:

Override Ext.data.proxy.Server
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
Ext.override(Ext.data.proxy.Server, {
  encodeFilters: function(filters) {
      var min = [],
          length = filters.length,
          i = 0;

      for (; i < length; i++) {
          min[i] = {
              property: filters[i].property,
              operator: filters[i].operator,
              type    : filters[i].type,
              value   : filters[i].value
          };
      }
      return this.applyEncoding(min);
  }
});

And everything will be fine:

Propper json send to server
1
2
3
4
5
6
7
8
filter: [
  {
    property: "name",
    value: "somestring",
    type: "string",
    operator: "="
  }
]