adbario/slim-csrf

CSRF protection for Slim 3 framework

1.1.0 2017-04-06 08:32 UTC

This package is auto-updated.

Last update: 2021-11-11 08:01:39 UTC


README

Protection against CSRF in Slim 3 framework. Uses Slim Secure Session Middleware to manage session and automatically creates HTML form hidden input for Twig-View and PHP-View.

CSRF protection will be applied to POST, PUT, DELETE and PATCH requests.

Installation

composer require adbario/slim-csrf

Usage

Depency Container

Inject session helper to application container (read more about session helper):

$container['session'] = function ($container) {
    return new \Adbar\Session(
        $container->get('settings')['session']['namespace']
    );
};

Inject CSRF protection in application container:

$container['csrf'] = function ($c) {
    return new \Adbar\Slim\Csrf($c->get('session'));
};

If you use Twig-View or PHP-View:

$container['csrf'] = function ($c) {
    return new \Adbar\Slim\Csrf(
        $c->get('session'),
        $c->get('view')
    );
};

Other dependencies

CSRF protection needs Slim Secure Session Middleware. Inject settings for session middleware and register it:

$app->add(new \Adbar\SessionMiddleware($container->get('settings')['session']));

Register for all routes

To use CSRF protection on all routes, register it as a middleware before session middleware:

/** Csrf */
$app->add($app->getContainer()->get('csrf'));

/** Session */
$app->add(new \Adbar\SessionMiddleware($container->get('settings')['session']));

Register per route

To use CSRF protection on specific routes, add it like this:

$app->get('/form', function ($request, $response) {
    // CSRF token will be added
    return $this->view->render($response, 'form.twig');
})->add($container->get('csrf'));

$app->post('/form', function ($request, $response) {
    // If CSRF token was valid, code after this will run
})->add($container->get('csrf'));

Twig-View

Ready-to-use HTML form hidden input will be injected in Twig-View, to use it in your view:

<form method="post">
    {{ csrf|raw }}
    Username
    <input type="text" name="username">
    <input type="submit" value="Send">
</form>

PHP-View

Ready-to-use HTML form hidden input will be injected also in Twig-View, to use it in your view:

<form method="post">
    <?= $csrf ?>
    Username
    <input type="text" name="username">
    <input type="submit" value="Send">
</form>

Other template engines

You can easily use CSRF protection on other template engines as well. Inject to container without view:

$container['csrf'] = function () {
    return new \Adbar\Slim\Csrf;
};

Generate HTML hidden input field:

$app->get('/form', function ($request, $response) {
    // Generate form field
    $csrf = $this->csrf->generateForm();
    // Inject form field to your view...
});

Custom error on CSRF token failure

By default, CSRF protection shows simple message on failure:

Invalid security token.

You can render a custom template if CSRF token isn't valid, edit container:

$container['csrf'] = function ($c) {
    $csrf = new \Adbar\Slim\Csrf(
        $c->get('session'),
        $c->get('view')
    );
    $csrf->setTokenError(function ($request, $response, $next) use ($c) {
        return $c->view->render($response->withStatus(400), 'csrf_error.twig');
    });
    return $csrf;
};

If you just want to edit simple message:

$container['csrf'] = function ($c) {
    $csrf = new \Adbar\Slim\Csrf(
        $c->get('session'),
        $c->get('view')
    );
    $csrf->setTokenErrorMessage('This is my custom error message.');
    return $csrf;
};

License

MIT license