Started documenting the DSC-CSRF middleware

This commit is contained in:
Barnaby Walters 2021-06-11 01:52:09 +02:00
parent c0abe846cd
commit f66473cc53

View File

@ -14,12 +14,25 @@ use Psr\Log\NullLogger;
use function Taproot\IndieAuth\generateRandomString;
/**
* Development reference
* Double-Submit Cookie CSRF Middleware
*
* CSRF protection cheat sheet: https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html
* Example CSRF protection cookie middleware: https://github.com/zakirullin/csrf-middleware/blob/master/src/CSRF.php
* A PSR-15-compatible Middleware for stateless Double-Submit-Cookie-based CSRF protection.
*
* The `$attribute` property and first constructor argument sets the key by which the CSRF token
* is referred to in all parameter sets (request attributes, request body parameters, cookies).
*
* Generates a random token of length `$tokenLength` (default 128), and stores it as an attribute
* on the `ServerRequestInterface`. Its also added to the response as a cookie.
*
* On requests which may modify state (methods other than HEAD, GET or OPTIONS), the request body
* and request cookies are checked for matching CSRF tokens. If they match, the request is passed on
* to the handler. If they do not match, further processing is halted and an error response generated
* from the `$errorResponse` callback is returned. Refer to the constructor argument for information
* about customising the error response.
*
* @link https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html
* @link https://github.com/zakirullin/csrf-middleware/blob/master/src/CSRF.php
*/
class DoubleSubmitCookieCsrfMiddleware implements MiddlewareInterface, LoggerAwareInterface {
const READ_METHODS = ['HEAD', 'GET', 'OPTIONS'];
const TTL = 60 * 20;
@ -89,6 +102,8 @@ class DoubleSubmitCookieCsrfMiddleware implements MiddlewareInterface, LoggerAwa
protected function isValid(ServerRequestInterface $request) {
if (array_key_exists($this->attribute, $request->getParsedBody() ?? [])) {
if (array_key_exists($this->attribute, $request->getCookieParams() ?? [])) {
// TODO: make sure CSRF token isnt the empty string, possibly also check that its the same length
// as defined in $this->tokenLength.
return hash_equals($request->getParsedBody()[$this->attribute], $request->getCookieParams()[$this->attribute]);
}
}