diff --git a/.github/CODE_OF_CONDUCT.md b/.github/CODE_OF_CONDUCT.md index 803e000..2400eec 100644 --- a/.github/CODE_OF_CONDUCT.md +++ b/.github/CODE_OF_CONDUCT.md @@ -2,66 +2,101 @@ ## Our Pledge -As contributors and maintainers of this project, and in order to keep Yii community open and welcoming, we ask to respect all community members. +As contributors and maintainers of this project, and in order to keep Yii community open and welcoming, we ask to +respect all community members. ## Our Standards -Examples of behavior that contributes to creating a positive environment include: +Examples of behavior that contributes to a positive environment for our community include: -* Using welcoming and inclusive language -* Being respectful of differing viewpoints and experiences -* Gracefully accepting constructive criticism -* Focusing on what is best for the community -* Showing empathy towards other community members +* Demonstrating empathy and kindness toward other people +* Being respectful of differing opinions, viewpoints, and experiences +* Giving and gracefully accepting constructive feedback +* Accepting responsibility and apologizing to those affected by our mistakes, and learning from the experience +* Focusing on what is best not just for us as individuals, but for the overall community Examples of unacceptable behavior by participants include: -* The use of sexualized language or imagery and unwelcome sexual attention or - advances -* Personal attacks -* Trolling or insulting/derogatory comments, and personal or political attacks +* The use of sexualized language or imagery, and sexual attention or advances of any kind +* Trolling, insulting or derogatory comments, and personal or political attacks * Public or private harassment -* Publishing other's private information, such as physical or electronic - addresses, without explicit permission -* Other conduct which could reasonably be considered inappropriate in - a professional setting +* Publishing others' private information, such as a physical or email address, without their explicit permission +* Other conduct which could reasonably be considered inappropriate in a professional setting -## Our Responsibilities +## Enforcement Responsibilities -Project maintainers are responsible for clarifying the standards of acceptable -behavior and are expected to take appropriate and fair corrective action in response -to any instances of unacceptable behavior. +Core team members are responsible for clarifying and enforcing our standards of acceptable behavior and will take +appropriate and fair corrective action in response to any behavior that they deem inappropriate, threatening, offensive, +or harmful. -Project maintainers have the right and responsibility to remove, edit, or reject comments, -commits, code, wiki edits, issues, and other contributions that are not aligned to this -Code of Conduct, or to ban temporarily or permanently any contributor for other behaviors -that they deem inappropriate, threatening, offensive, or harmful. +Core team members have the right and responsibility to remove, edit, or reject comments, commits, code, wiki edits, +issues, and other contributions that are not aligned to this Code of Conduct, and will communicate reasons for +moderation decisions when appropriate. ## Scope -This Code of Conduct applies both within project spaces and in public spaces when -an individual is representing the project or its community. Examples of representing -a project or community include posting via an official social media account, -within project GitHub, official forum or acting as an appointed representative at -an online or offline event. +This Code of Conduct applies within all community spaces, and also applies when an individual is officially representing +the community in public spaces. Examples of representing a project or community include using an official e-mail +address, posting via an official social media account, within project GitHub, official forum or acting as an appointed +representative at an online or offline event. ## Enforcement -Instances of abusive, harassing, or otherwise unacceptable behavior may be reported -by contacting core team members. All complaints will be reviewed and investigated -and will result in a response that is deemed necessary and appropriate to the circumstances. -The project team is obligated to maintain confidentiality with regard to the reporter of -an incident. Further details of specific enforcement policies may be posted separately. +Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by contacting core team members. All +complaints will be reviewed and investigated promptly and fairly. -Project maintainers who do not follow or enforce the Code of Conduct in good faith -may face temporary or permanent repercussions as determined by other members of -the project's leadership. +All core team members are obligated to respect the privacy and security of the reporter of any incident. + +## Enforcement Guidelines + +Core team members will follow these Community Impact Guidelines in determining the consequences for any action they +deem in violation of this Code of Conduct: + +### 1. Correction + +**Community Impact**: Use of inappropriate language or other behavior deemed unprofessional or unwelcome in +the community. + +**Consequence**: A private, written warning from core team members, providing clarity around the nature of the violation +and an explanation of why the behavior was inappropriate. A public apology may be requested. + +### 2. Warning + +**Community Impact**: A violation through a single incident or series of actions. + +**Consequence**: A warning with consequences for continued behavior. No interaction with the people involved, including +unsolicited interaction with those enforcing the Code of Conduct, for a specified period of time. This includes avoiding +interactions in community spaces as well as external channels like social media. Violating these terms may lead to +a temporary or permanent ban. + +### 3. Temporary Ban + +**Community Impact**: A serious violation of community standards, including sustained inappropriate behavior. + +**Consequence**: A temporary ban from any sort of interaction or public communication with the community for a specified +period of time. No public or private interaction with the people involved, including unsolicited interaction with those +enforcing the Code of Conduct, is allowed during this period. Violating these terms may lead to a permanent ban. + +### 4. Permanent Ban + +**Community Impact**: Demonstrating a pattern of violation of community standards, including sustained inappropriate +behavior, harassment of an individual, or aggression toward or disparagement of classes of individuals. + +**Consequence**: A permanent ban from any sort of public interaction within the community. ## Attribution -This Code of Conduct is adapted from the [Contributor Covenant][homepage], -version 1.4.0, available at -[http://contributor-covenant.org/version/1/4/][version] +This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 2.1, available at +[https://www.contributor-covenant.org/version/2/1/code_of_conduct.html][v2.1]. + +Community Impact Guidelines were inspired by [Mozilla's code of conduct enforcement ladder][Mozilla CoC]. + +For answers to common questions about this code of conduct, see the FAQ at +[https://www.contributor-covenant.org/faq][FAQ]. Translations are available at +[https://www.contributor-covenant.org/translations][translations]. -[homepage]: http://contributor-covenant.org -[version]: http://contributor-covenant.org/version/1/4/ +[homepage]: https://www.contributor-covenant.org +[v2.1]: https://www.contributor-covenant.org/version/2/1/code_of_conduct.html +[Mozilla CoC]: https://github.com/mozilla/diversity +[FAQ]: https://www.contributor-covenant.org/faq +[translations]: https://www.contributor-covenant.org/translations diff --git a/.github/workflows/bc.yml b/.github/workflows/bc.yml index 2ebbb74..ba3e9ef 100644 --- a/.github/workflows/bc.yml +++ b/.github/workflows/bc.yml @@ -1,15 +1,14 @@ on: - pull_request: - push: + - pull_request + - push name: backwards compatibility + jobs: - roave_bc_check: - name: Roave BC Check - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@master - - name: fetch tags - run: git fetch --depth=1 origin +refs/tags/*:refs/tags/* - - name: Roave BC Check - uses: docker://nyholm/roave-bc-check-ga + roave_bc_check: + uses: yiisoft/actions/.github/workflows/bc.yml@master + with: + os: >- + ['ubuntu-latest'] + php: >- + ['8.0'] diff --git a/.github/workflows/rector.yml b/.github/workflows/rector.yml new file mode 100644 index 0000000..bd79331 --- /dev/null +++ b/.github/workflows/rector.yml @@ -0,0 +1,23 @@ +on: + pull_request: + paths-ignore: + - 'docs/**' + - 'README.md' + - 'CHANGELOG.md' + - '.gitignore' + - '.gitattributes' + - 'infection.json.dist' + - 'psalm.xml' + +name: rector + +jobs: + rector: + uses: yiisoft/actions/.github/workflows/rector.yml@master + secrets: + token: ${{ secrets.YIISOFT_GITHUB_TOKEN }} + with: + os: >- + ['ubuntu-latest'] + php: >- + ['8.2'] diff --git a/.styleci.yml b/.styleci.yml index 63e26a5..1ab379b 100644 --- a/.styleci.yml +++ b/.styleci.yml @@ -1,20 +1,12 @@ preset: psr12 risky: true -version: 8 +version: 8.1 finder: exclude: - docs - vendor - - resources - - views - - public - - templates - not-name: - - UnionCar.php - - TimerUnionTypes.php - - schema1.php enabled: - alpha_ordered_traits @@ -64,7 +56,6 @@ enabled: - phpdoc_order - phpdoc_property - phpdoc_scalar - - phpdoc_separation - phpdoc_singular_inheritdoc - phpdoc_trim - phpdoc_trim_consecutive_blank_line_separation @@ -86,3 +77,9 @@ enabled: - trailing_comma_in_multiline_array - unalign_double_arrow - unalign_equals + - empty_loop_body_braces + - integer_literal_case + - union_type_without_spaces + +disabled: + - function_declaration diff --git a/CHANGELOG.md b/CHANGELOG.md index 142bfff..465c3a6 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,29 +1,34 @@ # Yii CSRF Protection Library Change Log -## 1.2.1 under development +## 2.0.1 under development - Enh: Add composer require checker into CI +## 2.0.0 February 14, 2023 + +- Chg #43: Adapt configuration group names to Yii conventions (@vjik) +- Enh #44: Add support of `yiisoft/session` version `^2.0` (@vjik) + ## 1.2.0 November 22, 2021 -- Chg #31: Update `yiisoft/http` dependency (devanych) -- Enh #30: Add a custom failure handler feature to `CsrfMiddleware` (solventt, devanych) +- Chg #31: Update `yiisoft/http` dependency (@devanych) +- Enh #30: Add a custom failure handler feature to `CsrfMiddleware` (@solventt, @devanych) ## 1.1.0 October 21, 2021 -- New #29: Add methods `CsrfMiddleware::getParameterName()` and `CsrfMiddleware::getHeaderName()` (vjik) +- New #29: Add methods `CsrfMiddleware::getParameterName()` and `CsrfMiddleware::getHeaderName()` (@vjik) ## 1.0.3 August 30, 2021 -- Chg #28: Use definitions from `yiisoft/definitions` in configuration (vjik) +- Chg #28: Use definitions from `yiisoft/definitions` in configuration (@vjik) ## 1.0.2 April 13, 2021 -- Chg: Adjust config for yiisoft/factory changes (vjik, samdark) +- Chg: Adjust config for `yiisoft/factory` changes (@vjik, @samdark) ## 1.0.1 March 23, 2021 -- Chg: Adjust config for new config plugin (samdark) +- Chg: Adjust config for new config plugin (@samdark) ## 1.0.0 February 23, 2021 diff --git a/README.md b/README.md index 6f5be7e..b6c8be9 100644 --- a/README.md +++ b/README.md @@ -20,7 +20,7 @@ The package provides [PSR-15](https://www.php-fig.org/psr/psr-15/) middleware fo - It supports two algorithms out of the box: - Synchronizer CSRF token with customizable token generation and storage. By default, it uses random data and session. - HMAC based token with customizable identity generation. Uses session by default. -- It has ability to apply masking to CSRF token string to make [BREACH attack](http://breachattack.com/) impossible. +- It has ability to apply masking to CSRF token string to make [BREACH attack](https://breachattack.com/) impossible. ## Requirements @@ -147,7 +147,7 @@ To learn more about HMAC based token pattern ### Masked CSRF token `MaskedCsrfToken` is a decorator for `CsrfTokenInterface` that applies masking to a token string. -It makes [BREACH attack](http://breachattack.com/) impossible, so it is safe to use token in HTML to be later passed to +It makes [BREACH attack](https://breachattack.com/) impossible, so it is safe to use token in HTML to be later passed to the next request either as a hidden form field or via JavaScript async request. It is recommended to always use this decorator. diff --git a/composer.json b/composer.json index 8d52bfe..0348f18 100644 --- a/composer.json +++ b/composer.json @@ -30,15 +30,17 @@ "psr/http-server-middleware": "^1.0", "yiisoft/http": "^1.2", "yiisoft/security": "^1.0", - "yiisoft/session": "^1.0" + "yiisoft/session": "^1.0|^2.0" }, "require-dev": { "maglnet/composer-require-checker": "^4.2", "nyholm/psr7": "^1.3", "phpunit/phpunit": "^9.5", + "rector/rector": "^0.18.5", "roave/infection-static-analysis-plugin": "^1.16", "spatie/phpunit-watcher": "^1.23", - "vimeo/psalm": "^4.18" + "vimeo/psalm": "^4.30|^5.6", + "yiisoft/di": "^1.1" }, "autoload": { "psr-4": { @@ -56,7 +58,7 @@ }, "config-plugin": { "params": "params.php", - "web": "web.php" + "di-web": "di-web.php" } }, "config": { diff --git a/config/web.php b/config/di-web.php similarity index 100% rename from config/web.php rename to config/di-web.php diff --git a/psalm.xml b/psalm.xml index 3240886..277e73d 100644 --- a/psalm.xml +++ b/psalm.xml @@ -1,7 +1,8 @@ paths([ + __DIR__ . '/src', + __DIR__ . '/tests', + ]); + + // register a single rule + $rectorConfig->rule(InlineConstructorDefaultToPropertyRector::class); + + // define sets of rules + $rectorConfig->sets([ + LevelSetList::UP_TO_PHP_74, + ]); + + $rectorConfig->skip([ + ClosureToArrowFunctionRector::class, + JsonThrowOnErrorRector::class, + ]); +}; diff --git a/src/Synchronizer/Storage/CsrfTokenStorageInterface.php b/src/Synchronizer/Storage/CsrfTokenStorageInterface.php index 40e4064..8b1dd26 100644 --- a/src/Synchronizer/Storage/CsrfTokenStorageInterface.php +++ b/src/Synchronizer/Storage/CsrfTokenStorageInterface.php @@ -16,8 +16,6 @@ public function get(): ?string; /** * Write CSRF token into a storage. - * - * @param string $token */ public function set(string $token): void; diff --git a/tests/ConfigTest.php b/tests/ConfigTest.php new file mode 100644 index 0000000..4e61ba2 --- /dev/null +++ b/tests/ConfigTest.php @@ -0,0 +1,55 @@ +createContainer(); + + $csrfToken = $container->get(CsrfTokenInterface::class); + $synchronizerCsrfToken = $container->get(SynchronizerCsrfToken::class); + $hmacCsrfToken = $container->get(HmacCsrfToken::class); + + $this->assertInstanceOf(MaskedCsrfToken::class, $csrfToken); + $this->assertInstanceOf(SynchronizerCsrfToken::class, $synchronizerCsrfToken); + $this->assertInstanceOf(HmacCsrfToken::class, $hmacCsrfToken); + } + + private function createContainer(?array $params = null): Container + { + return new Container( + ContainerConfig::create()->withDefinitions( + $this->getDiConfig($params) + + + [SessionInterface::class => NullSession::class] + ) + ); + } + + private function getDiConfig(?array $params = null): array + { + if ($params === null) { + $params = $this->getParams(); + } + return require dirname(__DIR__) . '/config/di-web.php'; + } + + private function getParams(): array + { + return require dirname(__DIR__) . '/config/params.php'; + } +}