From 91e682181ad793c2320492269e205ed8d4442205 Mon Sep 17 00:00:00 2001 From: hacan359 <05hacan@gmail.com> Date: Wed, 7 Feb 2024 18:11:41 +0300 Subject: [PATCH 1/6] Add stubcsrf --- README.md | 11 ++++++++--- src/StubCsrfToken.php | 36 ++++++++++++++++++++++++++++++++++++ tests/StubCsrfTokenTest.php | 35 +++++++++++++++++++++++++++++++++++ 3 files changed, 79 insertions(+), 3 deletions(-) create mode 100644 src/StubCsrfToken.php create mode 100644 tests/StubCsrfTokenTest.php diff --git a/README.md b/README.md index b6c8be9..94d99c5 100644 --- a/README.md +++ b/README.md @@ -18,7 +18,8 @@ The package provides [PSR-15](https://www.php-fig.org/psr/psr-15/) middleware for CSRF protection: - It supports two algorithms out of the box: - - Synchronizer CSRF token with customizable token generation and storage. By default, it uses random data and session. + - Synchronizer CSRF token with customizable token generation and storage. By default, it uses random data and + session. - HMAC based token with customizable identity generation. Uses session by default. - It has ability to apply masking to CSRF token string to make [BREACH attack](https://breachattack.com/) impossible. @@ -122,7 +123,7 @@ token that came from the form is compared against the token stored. Package provides `RandomCsrfTokenGenerator` that generates a random token and `SessionCsrfTokenStorage` that persists a token between requests in a user session. -To learn more about the synchronizer token pattern, +To learn more about the synchronizer token pattern, [check OWASP CSRF cheat sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#synchronizer-token-pattern). ### HMAC based token @@ -154,6 +155,9 @@ It is recommended to always use this decorator. ## Testing +The `StubCsrfToken` class can be useful when mocking CSRF token behavior during unit testing or when providing +placeholder functionality in temporary solutions. + ### Unit testing The package is tested with [PHPUnit](https://phpunit.de/). To run tests: @@ -181,7 +185,8 @@ The code is statically analyzed with [Psalm](https://psalm.dev/). To run static ## License -The Yii CSRF Protection Library is free software. It is released under the terms of the BSD License. Please see [`LICENSE`](./LICENSE.md) for more information. +The Yii CSRF Protection Library is free software. It is released under the terms of the BSD License. Please +see [`LICENSE`](./LICENSE.md) for more information. Maintained by [Yii Software](https://www.yiiframework.com/). diff --git a/src/StubCsrfToken.php b/src/StubCsrfToken.php new file mode 100644 index 0000000..4c55aa8 --- /dev/null +++ b/src/StubCsrfToken.php @@ -0,0 +1,36 @@ +token = $token; + if (null === $token) { + $this->token = Random::string(); + } + } + + public function getValue(): string + { + return $this->token; + } + + public function validate(string $token): bool + { + return $this->token === $token; + } +} diff --git a/tests/StubCsrfTokenTest.php b/tests/StubCsrfTokenTest.php new file mode 100644 index 0000000..66969b3 --- /dev/null +++ b/tests/StubCsrfTokenTest.php @@ -0,0 +1,35 @@ +assertSame($csrfToken, $stubToken->getValue()); + } + + public function testValidate(): void + { + $csrfToken = Random::string(); + $stubToken = new StubCsrfToken($csrfToken); + $this->assertTrue($stubToken->validate($csrfToken)); + $this->assertFalse($stubToken->validate(Random::string())); + } + + public function testEmptyToken(): void + { + $stubToken = new StubCsrfToken(); + $token = $stubToken->getValue(); + $this->assertNotEmpty($token); + $this->assertTrue($stubToken->validate($token)); + } +} From 272b99b8d4588f9b39d7b76656f4fe7207c54d7b Mon Sep 17 00:00:00 2001 From: hacan359 <05hacan@gmail.com> Date: Wed, 7 Feb 2024 18:16:19 +0300 Subject: [PATCH 2/6] Add stubcsrf --- src/StubCsrfToken.php | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/StubCsrfToken.php b/src/StubCsrfToken.php index 4c55aa8..8ac264f 100644 --- a/src/StubCsrfToken.php +++ b/src/StubCsrfToken.php @@ -14,14 +14,14 @@ */ final class StubCsrfToken implements CsrfTokenInterface { - private ?string $token; + private string $token; public function __construct(?string $token = null) { - $this->token = $token; if (null === $token) { - $this->token = Random::string(); + $token = Random::string(); } + $this->token = $token; } public function getValue(): string From 24f68880bc5635e97e2077f5017424b0d66d80b5 Mon Sep 17 00:00:00 2001 From: Sergei Predvoditelev Date: Wed, 7 Feb 2024 20:59:10 +0300 Subject: [PATCH 3/6] improve tests --- tests/StubCsrfTokenTest.php | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) diff --git a/tests/StubCsrfTokenTest.php b/tests/StubCsrfTokenTest.php index 66969b3..91df406 100644 --- a/tests/StubCsrfTokenTest.php +++ b/tests/StubCsrfTokenTest.php @@ -6,23 +6,20 @@ use PHPUnit\Framework\TestCase; use Yiisoft\Csrf\StubCsrfToken; -use Yiisoft\Security\Random; final class StubCsrfTokenTest extends TestCase { public function testValue(): void { - $csrfToken = Random::string(); - $stubToken = new StubCsrfToken($csrfToken); - $this->assertSame($csrfToken, $stubToken->getValue()); + $stubToken = new StubCsrfToken('test'); + $this->assertSame('test', $stubToken->getValue()); } public function testValidate(): void { - $csrfToken = Random::string(); - $stubToken = new StubCsrfToken($csrfToken); - $this->assertTrue($stubToken->validate($csrfToken)); - $this->assertFalse($stubToken->validate(Random::string())); + $stubToken = new StubCsrfToken('test'); + $this->assertTrue($stubToken->validate('test')); + $this->assertFalse($stubToken->validate('other')); } public function testEmptyToken(): void From 25167c14b0cbb728821b138caaa6f2058bc32955 Mon Sep 17 00:00:00 2001 From: Sergei Predvoditelev Date: Wed, 7 Feb 2024 21:00:44 +0300 Subject: [PATCH 4/6] fix docs --- README.md | 10 ++++++---- src/StubCsrfToken.php | 2 +- 2 files changed, 7 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 94d99c5..8e3659e 100644 --- a/README.md +++ b/README.md @@ -32,7 +32,7 @@ The package provides [PSR-15](https://www.php-fig.org/psr/psr-15/) middleware fo The package could be installed with composer: ```shell -composer require yiisoft/csrf --prefer-dist +composer require yiisoft/csrf ``` ## General usage @@ -145,6 +145,11 @@ Parameters set via the `HmacCsrfToken` constructor are: To learn more about HMAC based token pattern [check OWASP CSRF cheat sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#hmac-based-token-pattern). +### Stub CSRF token + +The `StubCsrfToken` class can be useful when mocking CSRF token behavior during unit testing or when providing +placeholder functionality in temporary solutions. + ### Masked CSRF token `MaskedCsrfToken` is a decorator for `CsrfTokenInterface` that applies masking to a token string. @@ -155,9 +160,6 @@ It is recommended to always use this decorator. ## Testing -The `StubCsrfToken` class can be useful when mocking CSRF token behavior during unit testing or when providing -placeholder functionality in temporary solutions. - ### Unit testing The package is tested with [PHPUnit](https://phpunit.de/). To run tests: diff --git a/src/StubCsrfToken.php b/src/StubCsrfToken.php index 8ac264f..6c21f34 100644 --- a/src/StubCsrfToken.php +++ b/src/StubCsrfToken.php @@ -7,7 +7,7 @@ use Yiisoft\Security\Random; /** - * StubCsrfToken represents a simple implementation of CsrfTokenInterface. + * `StubCsrfToken` represents a simple implementation of `CsrfTokenInterface`. * * This implementation simply stores and returns a token string. It does not perform any additional validation. * It is primarily used for testing or as a placeholder implementation. From cfd3e8b35464a81f4bf8957616c192bba405db3c Mon Sep 17 00:00:00 2001 From: Sergei Predvoditelev Date: Wed, 7 Feb 2024 21:01:35 +0300 Subject: [PATCH 5/6] changelog --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 90cd716..6c9dbca 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,7 @@ ## 2.0.1 under development +- New #53: Add `StubCsrfToken` (@hacan359) - Bug #36: Explicitly add transitive dependencies `yiisoft/strings`, `psr/http-server-handler` and `ext-hash` (@vjik, @xepozz) From 4dec69e65bd2561fdf5e725691e0dcd9f6aa1ec8 Mon Sep 17 00:00:00 2001 From: Sergei Predvoditelev Date: Wed, 7 Feb 2024 21:03:39 +0300 Subject: [PATCH 6/6] readme --- README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 8e3659e..78587be 100644 --- a/README.md +++ b/README.md @@ -147,7 +147,8 @@ To learn more about HMAC based token pattern ### Stub CSRF token -The `StubCsrfToken` class can be useful when mocking CSRF token behavior during unit testing or when providing +The `StubCsrfToken` simply stores and returns a token string. It does not perform any additional validation. +This implementation can be useful when mocking CSRF token behavior during unit testing or when providing placeholder functionality in temporary solutions. ### Masked CSRF token