Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

https://github.com/Ocramius/PSR7Csrf

:no_entry: PSR-7 storage-less CSRF token generation/validation
https://github.com/Ocramius/PSR7Csrf

Last synced: 3 days ago
JSON representation

:no_entry: PSR-7 storage-less CSRF token generation/validation

Host: GitHub
URL: https://github.com/Ocramius/PSR7Csrf
Owner: Ocramius
License: mit
Archived: true
Created: 2016-03-20T13:24:15.000Z (over 8 years ago)
Default Branch: master
Last Pushed: 2018-08-11T08:35:22.000Z (almost 6 years ago)
Last Synced: 2024-05-02T01:01:36.974Z (2 months ago)
Language: PHP
Homepage:
Size: 234 KB
Stars: 180
Watchers: 14
Forks: 3
Open Issues: 0
Metadata Files:
- Readme: README.md
- Changelog: CHANGELOG.md
- Contributing: CONTRIBUTING.md
- License: LICENSE

Lists

awesome-psr7 - PSR-7 Storage-less HTTP CSRF protection

README

        # PSR-7 Storage-less HTTP CSRF protection

[![Build Status](https://travis-ci.org/Ocramius/PSR7Csrf.svg)](https://travis-ci.org/Ocramius/PSR7Csrf)

[![Scrutinizer Code Quality](https://scrutinizer-ci.com/g/Ocramius/PSR7Csrf/badges/quality-score.png?b=master)](https://scrutinizer-ci.com/g/Ocramius/PSR7Csrf/?branch=master)

[![Code Coverage](https://scrutinizer-ci.com/g/Ocramius/PSR7Csrf/badges/coverage.png?b=master)](https://scrutinizer-ci.com/g/Ocramius/PSR7Csrf/?branch=master)

[![Packagist](https://img.shields.io/packagist/v/ocramius/psr7-csrf.svg)](https://packagist.org/packages/ocramius/psr7-csrf)

[![Packagist](https://img.shields.io/packagist/vpre/ocramius/psr7-csrf.svg)](https://packagist.org/packages/ocramius/psr7-csrf)

**PSR7Csrf** is a [PSR-7](http://www.php-fig.org/psr/psr-7/)

[middleware](https://mwop.net/blog/2015-01-08-on-http-middleware-and-psr-7.html) that enables

[CSRF](https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)) protection for PSR-7 based applications.

# DEPRECATED in favor of `psr7-sessions/storageless` 5.0.0+

Please note that this package is **DEPRECATED**.

Since [`psr7-sessions/storageless` 5.0.0](https://github.com/psr7-sessions/storageless/releases/tag/5.0.0),

the generated cookies are CSRF-resistant by default for unsafe HTTP methods (`POST`/`PUT`/`DELETE`/`PATCH`/etc.),

so the usage of this package is no longer needed.

You can still install `ocramius/psr7-csrf`, but since there is no practical need for it,

it is not necessary to do so.

### What is this about?

Instead of storing tokens in the session, PSR7Csrf simply uses JWT tokens,

which can be verified, signed and have a specific lifetime on their own.

This storage-less approach prevents having to load tokens from a session

or from a database, and simplifies the entire UI workflow: tokens are

valid as long as their signature and expiration date holds.

### Installation

```sh

composer require ocramius/psr7-csrf

```

### Usage

The simplest usage is based on defaults. It assumes that you have

a configured PSR-7 compatible application that supports piping

middlewares, and it also requires you to run [PSR7Session](https://github.com/Ocramius/PSR7Session).

In a [`zendframework/zend-expressive`](https://github.com/zendframework/zend-expressive)

application, the setup would look like the following:

```php

$app = \Zend\Expressive\AppFactory::create();

$app->pipe(\PSR7Session\Http\SessionMiddleware::fromSymmetricKeyDefaults(

    'mBC5v1sOKVvbdEitdSBenu59nfNfhwkedkJVNabosTw=', // replace this with a key of your own (see PSR7Session docs)

    1200 // 20 minutes session duration

));

$app->pipe(\PSR7Csrf\Factory::createDefaultCSRFCheckerMiddleware());

```

This setup will require that any requests that are not `GET`, `HEAD` or

`OPTIONS` contain a `csrf_token` in the request body parameters (JSON

or URL-encoded).

You can generate the CSRF token for any form like following:

```php

$tokenGenerator = \PSR7Csrf\Factory::createDefaultTokenGenerator();

$app->get('/get', function ($request, $response) use ($tokenGenerator) {

    $response

        ->getBody()

        ->write(

            ''

            . ''

            . ''

            . ''

        );

    return $response;

});

$app->post('/post', function ($request, $response) {

    $response

        ->getBody()

        ->write('It works!');

    return $response;

});

```

### Examples

```sh

composer install # install at the root of this package first!

cd examples

composer install

php -S localhost:9999 index.php

```

Then try accessing `http://localhost:9999`: you should see a simple

submission form.

If you try modifying the submitted CSRF token (which is in a hidden

form field), then the `POST` request will fail.

### Known limitations

Please refer to the [known limitations of PSR7Session](https://github.com/Ocramius/PSR7Session/blob/master/docs/limitations.md).

Also, this component does *NOT* prevent double-form-submissions: it

merely prevents CSRF attacks from third parties. As long as the CSRF

token is valid, it can be reused over multiple requests.

### Contributing

Please refer to the [contributing notes](CONTRIBUTING.md).

### License

This project is made public under the [MIT LICENSE](LICENSE).