I'm using JWT auth in CakePHP to handle login action in Android App. I have disabled CSRF protection in Cake and passing token value through "SharedPreferencesConstants" class where token value is set using the code shown below:

    // Running default handler
    new Handler().post(new Runnable() {
        public void run() {
            fcm = new MyFireBaseIntanceIdservice();
            String token = fcm.getrefeshtoken();
            // Log.e("test", token);
            SharedPreferencesConstants.setTOKEN(LoginActivity.this, token);

I have tried playing a bit with the token value, however.

The error I am getting as of now is "Error: [Cake\Http\Exception\InvalidCsrfTokenException] Missing CSRF token cookie".

The approaches I have tried so far is disabling the CSRF protection into Cake's AppController.

            EditText txtEmail = (EditText) findViewById(R.id.txtEmail);
            EditText txtPassword = (EditText) findViewById(R.id.txtPassword);
            jsonObject.put("email", txtEmail.getText().toString());
            jsonObject.put("password", txtPassword.getText().toString());
            jsonObject.put("cookieName", "appname");
            jsonObject.put("_Token", "_csrfToken");
            jsonObject.put("deviceToken", SharedPreferencesConstants.getTOKEN(this));
            jsonObject.put("secureKey", SharedPreferencesConstants.getSECUREKEY(this));

A thought that came through my mind as a projected solution is related to HTTP header to be passed in request. But, I couldn't locate any solution for this thought.

Any solution/suggestions?

Edit #1: On my AppController.php file, I have loaded only Security Component, not CSRF. Here is the code for same:

    // $this->loadComponent('Csrf');

And, code which I do have on my CustomersController.php beforeFilter() function is:


The JWT Auth code, I am having in my AppController is:

    $this->loadComponent('Auth', [
        'storage' => 'Memory',
        'authenticate' => [
            'ADmad/JwtAuth.Jwt' => [
                'userModel' => 'Customers',
                'fields' => [
                    'username' => 'email'

                'parameter' => 'token',

                // Boolean indicating whether the "sub" claim of JWT payload
                // should be used to query the Users model and get user info.
                // If set to `false` JWT's payload is directly returned.
                'queryDatasource' => false,
            'unauthorizedRedirect' => false,
            'checkAuthIn' => 'Controller.initialize',

            // If you don't have a login action in your application set
            // 'loginAction' to false to prevent getting a MissingRouteException.
            'loginAction' => false

I hope the new code, I've added might help you to get a better picture of the problem.

0 Answers