-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
and maybe the only commit needed :)
- Loading branch information
Christian Blanquera
committed
Mar 12, 2018
1 parent
3d09963
commit 4dd67a7
Showing
3 changed files
with
112 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,44 @@ | ||
<?php //--> | ||
|
||
use Cradle\Http\Request; | ||
use Cradle\Http\Response; | ||
|
||
/** | ||
* Loads CSRF token in stage | ||
* | ||
* @param *Request $request | ||
* @param *Response $response | ||
*/ | ||
$cradle->on('csrf-load', function (Request $request, Response $response) { | ||
//render the key | ||
$key = md5(uniqid()); | ||
if($request->hasSession('csrf')) { | ||
$key = $request->getSession('csrf'); | ||
} | ||
|
||
$request->setSession('csrf', $key); | ||
$response->setStage('csrf', $key); | ||
}); | ||
|
||
/** | ||
* Validates CSRF | ||
* | ||
* @param *Request $request | ||
* @param *Response $response | ||
*/ | ||
$cradle->on('csrf-validate', function (Request $request, Response $response) { | ||
$actual = $request->getStage('csrf'); | ||
$expected = $request->getSession('csrf'); | ||
|
||
//no longer needed | ||
$request->removeSession('csrf'); | ||
|
||
if($actual !== $expected) { | ||
//prepare to error | ||
$message = 'We prevented a potential attack on our servers coming from the request you just sent us.'; | ||
$message = $this->package('global')->translate($message); | ||
$response->setError(true, $message); | ||
} | ||
|
||
//it passed | ||
}); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,2 +1,45 @@ | ||
# cradle-csrf | ||
CSRF helpers | ||
|
||
## Install | ||
|
||
``` | ||
composer require cradlephp/cradle-csrf | ||
``` | ||
|
||
Then in `/bootstrap.php`, add | ||
|
||
``` | ||
->register('cradlephp/cradle-csrf') | ||
``` | ||
|
||
## Usage | ||
|
||
In any of your routes add the following code. | ||
|
||
``` | ||
cradle()->trigger('csrf-load', $request, $response); | ||
``` | ||
|
||
The CSRF token will be found in `$request->getStage('csrf')`. In your form | ||
template, be sure to add this key in a hidden field like the following. | ||
|
||
``` | ||
<input name="csrf" value="{{csrf}}" /> | ||
``` | ||
|
||
When validating this form in a route you can use the following | ||
|
||
``` | ||
cradle()->trigger('csrf-validate', $request, $response); | ||
``` | ||
|
||
If there is an error, it will be found in the response error object message. | ||
You can check this using the following. | ||
|
||
``` | ||
if($response->isError()) { | ||
$message = $response->getMessage(); | ||
//report the error | ||
} | ||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,25 @@ | ||
{ | ||
"name": "cradlephp/cradle-csrf", | ||
"type": "plugin", | ||
"description": "CSRF handler for Cradle", | ||
"minimum-stability": "dev", | ||
"keywords": [ | ||
"cradle", | ||
"cradlephp" | ||
], | ||
"license": "MIT", | ||
"authors": [ | ||
{ | ||
"name": "Christian Blanquera", | ||
"email": "[email protected]" | ||
} | ||
], | ||
"require-dev": { | ||
"phpunit/phpunit": "7.0.2", | ||
"squizlabs/php_codesniffer": "3.2.3", | ||
"satooshi/php-coveralls": "2.0.0" | ||
}, | ||
"require": { | ||
"cradlephp/framework": "~2.0.0" | ||
} | ||
} |