schnittstabil/psr7-csrf-middleware

Stateless PSR-7 CSRF (Cross-Site Request Forgery) protection middleware - simple Slim Framework 3 integration.

1.1.1 2016-04-08 15:30 UTC

This package is auto-updated.

Last update: 2020-08-25 17:34:33 UTC


README

SensioLabsInsight

Stateless PSR-7 CSRF (Cross-Site Request Forgery) protection middleware 🔏

Install

$ composer require schnittstabil/psr7-csrf-middleware

Usage

<?php
require __DIR__.'/vendor/autoload.php';

use Schnittstabil\Psr7\Csrf\MiddlewareBuilder as CsrfMiddlewareBuilder;

/*
 * Shared secret key used for generating and validating CSRF tokens:
 */
$key = 'This key is not so secret - change it!';

/*
 * Build a stateless Synchronizer Token Pattern CSRF proptection middleware.
 */
$csrfMiddleware = CsrfMiddlewareBuilder::create($key)
    ->buildSynchronizerTokenPatternMiddleware();

/*
 * Build a (AngularJS compatible) stateless Cookie-To-Header CSRF proptection middleware.
 *
 * Requires additional dependency:
 *     composer require dflydev/fig-cookies
 */
$csrfMiddleware = CsrfMiddlewareBuilder::create($key)
    ->buildCookieToHeaderMiddleware();
?>

Slim v3 Example

<?php
/*
 * Requires additional dependency:
 *     composer require slim/slim
 */
require __DIR__.'/vendor/autoload.php';

use Psr\Http\Message\RequestInterface;
use Psr\Http\Message\ResponseInterface;
use Slim\App;
use Schnittstabil\Psr7\Csrf\MiddlewareBuilder as CsrfMiddlewareBuilder;

$app = new App();

/*
 * CSRF protection setup
 */
$app->getContainer()['csrf_token_name'] = 'X-XSRF-TOKEN';
$app->getContainer()['csrf'] = function ($c) {
    $key = 'This key is not so secret - change it!';

    return CsrfMiddlewareBuilder::create($key)
        ->buildSynchronizerTokenPatternMiddleware($c['csrf_token_name']);
};
$app->add('csrf');

/*
 * GET routes are not protected (by default)
 */
$app->get('/', function (RequestInterface $request, ResponseInterface $response) {
    $name = $this->csrf_token_name;
    $token = $this->csrf->getTokenService()->generate();

    // render HTML...
    $response = $response->write("<input type=\"hidden\" name=\"$name\" value=\"$token\" />");

    return $response->write('successfully GET!');
});

/*
 * POST routes are protected (by default; same applies to PUT, DELETE and PATCH)
 */
$app->post('/', function (RequestInterface $request, ResponseInterface $response) {
    return $response->write('successfully POST');
});

/*
 * Run application
 */
$app->run();
?>

Related

License

MIT © Michael Mayer