fix: preserve JSON body when CSRF token is sent in header

Author: michalsn

system/Security/Security.php

@@ -307,6 +307,11 @@ private function removeTokenInRequest(IncomingRequest $request): void
 
         // If the token is found in form-encoded data, we can safely remove it.
         parse_str($body, $result);
+
+        if (! array_key_exists($tokenName, $result)) {
+            return;
+        }
+
         unset($result[$tokenName]);
         $request->setBody(http_build_query($result));
     }

tests/system/Security/SecurityCSRFSessionTest.php

@@ -251,6 +251,37 @@ public function testCSRFVerifyJsonReturnsSelfOnMatch(): void
         $this->assertSame('{"foo":"bar"}', $request->getBody());
     }
 
+    public function testCSRFVerifyHeaderWithJsonBodyPreservesBody(): void
+    {
+        service('superglobals')->setServer('REQUEST_METHOD', 'POST');
+
+        $request = $this->createIncomingRequest();
+        $body    = '{"foo":"bar"}';
+
+        $request->setHeader('X-CSRF-TOKEN', '8b9218a55906f9dcc1dc263dce7f005a');
+        $request->setBody($body);
+        $security = $this->createSecurity();
+
+        $this->assertInstanceOf(Security::class, $security->verify($request));
+        $this->assertLogged('info', 'CSRF token verified.');
+        $this->assertSame($body, $request->getBody());
+    }
+
+    public function testCSRFVerifyHeaderWithJsonBodyStripsTokenFromBody(): void
+    {
+        service('superglobals')->setServer('REQUEST_METHOD', 'POST');
+
+        $request = $this->createIncomingRequest();
+
+        $request->setHeader('X-CSRF-TOKEN', '8b9218a55906f9dcc1dc263dce7f005a');
+        $request->setBody('{"csrf_test_name":"8b9218a55906f9dcc1dc263dce7f005a","foo":"bar"}');
+        $security = $this->createSecurity();
+
+        $this->assertInstanceOf(Security::class, $security->verify($request));
+        $this->assertLogged('info', 'CSRF token verified.');
+        $this->assertSame('{"foo":"bar"}', $request->getBody());
+    }
+
     public function testRegenerateWithFalseSecurityRegenerateProperty(): void
     {
         service('superglobals')

tests/system/Security/SecurityTest.php

@@ -204,6 +204,39 @@ public function testCsrfVerifyJsonReturnsSelfOnMatch(): void
         $this->assertSame('{"foo":"bar"}', $request->getBody());
     }
 
+    public function testCsrfVerifyHeaderWithJsonBodyPreservesBody(): void
+    {
+        service('superglobals')
+            ->setServer('REQUEST_METHOD', 'POST')
+            ->setCookie('csrf_cookie_name', self::CORRECT_CSRF_HASH);
+
+        $security = $this->createMockSecurity();
+        $request  = $this->createIncomingRequest();
+        $body     = '{"foo":"bar"}';
+
+        $request->setHeader('X-CSRF-TOKEN', self::CORRECT_CSRF_HASH);
+        $request->setBody($body);
+
+        $this->assertInstanceOf(Security::class, $security->verify($request));
+        $this->assertSame($body, $request->getBody());
+    }
+
+    public function testCsrfVerifyHeaderWithJsonBodyStripsTokenFromBody(): void
+    {
+        service('superglobals')
+            ->setServer('REQUEST_METHOD', 'POST')
+            ->setCookie('csrf_cookie_name', self::CORRECT_CSRF_HASH);
+
+        $security = $this->createMockSecurity();
+        $request  = $this->createIncomingRequest();
+
+        $request->setHeader('X-CSRF-TOKEN', self::CORRECT_CSRF_HASH);
+        $request->setBody('{"csrf_test_name":"' . self::CORRECT_CSRF_HASH . '","foo":"bar"}');
+
+        $this->assertInstanceOf(Security::class, $security->verify($request));
+        $this->assertSame('{"foo":"bar"}', $request->getBody());
+    }
+
     public function testCsrfVerifyPutBodyThrowsExceptionOnNoMatch(): void
     {
         service('superglobals')