Started documenting the DSC-CSRF middleware
This commit is contained in:
parent
c0abe846cd
commit
f66473cc53
@ -14,12 +14,25 @@ use Psr\Log\NullLogger;
|
|||||||
use function Taproot\IndieAuth\generateRandomString;
|
use function Taproot\IndieAuth\generateRandomString;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Development reference
|
* Double-Submit Cookie CSRF Middleware
|
||||||
*
|
*
|
||||||
* CSRF protection cheat sheet: https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html
|
* A PSR-15-compatible Middleware for stateless Double-Submit-Cookie-based CSRF protection.
|
||||||
* Example CSRF protection cookie middleware: https://github.com/zakirullin/csrf-middleware/blob/master/src/CSRF.php
|
*
|
||||||
|
* The `$attribute` property and first constructor argument sets the key by which the CSRF token
|
||||||
|
* is referred to in all parameter sets (request attributes, request body parameters, cookies).
|
||||||
|
*
|
||||||
|
* Generates a random token of length `$tokenLength` (default 128), and stores it as an attribute
|
||||||
|
* on the `ServerRequestInterface`. It’s also added to the response as a cookie.
|
||||||
|
*
|
||||||
|
* On requests which may modify state (methods other than HEAD, GET or OPTIONS), the request body
|
||||||
|
* and request cookies are checked for matching CSRF tokens. If they match, the request is passed on
|
||||||
|
* to the handler. If they do not match, further processing is halted and an error response generated
|
||||||
|
* from the `$errorResponse` callback is returned. Refer to the constructor argument for information
|
||||||
|
* about customising the error response.
|
||||||
|
*
|
||||||
|
* @link https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html
|
||||||
|
* @link https://github.com/zakirullin/csrf-middleware/blob/master/src/CSRF.php
|
||||||
*/
|
*/
|
||||||
|
|
||||||
class DoubleSubmitCookieCsrfMiddleware implements MiddlewareInterface, LoggerAwareInterface {
|
class DoubleSubmitCookieCsrfMiddleware implements MiddlewareInterface, LoggerAwareInterface {
|
||||||
const READ_METHODS = ['HEAD', 'GET', 'OPTIONS'];
|
const READ_METHODS = ['HEAD', 'GET', 'OPTIONS'];
|
||||||
const TTL = 60 * 20;
|
const TTL = 60 * 20;
|
||||||
@ -89,6 +102,8 @@ class DoubleSubmitCookieCsrfMiddleware implements MiddlewareInterface, LoggerAwa
|
|||||||
protected function isValid(ServerRequestInterface $request) {
|
protected function isValid(ServerRequestInterface $request) {
|
||||||
if (array_key_exists($this->attribute, $request->getParsedBody() ?? [])) {
|
if (array_key_exists($this->attribute, $request->getParsedBody() ?? [])) {
|
||||||
if (array_key_exists($this->attribute, $request->getCookieParams() ?? [])) {
|
if (array_key_exists($this->attribute, $request->getCookieParams() ?? [])) {
|
||||||
|
// TODO: make sure CSRF token isn’t the empty string, possibly also check that it’s the same length
|
||||||
|
// as defined in $this->tokenLength.
|
||||||
return hash_equals($request->getParsedBody()[$this->attribute], $request->getCookieParams()[$this->attribute]);
|
return hash_equals($request->getParsedBody()[$this->attribute], $request->getCookieParams()[$this->attribute]);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
Reference in New Issue
Block a user