Releases: PhpGt/Csrf
Token improvements and minor tweaks
What's Changed
- Bump phpstan/phpstan from 1.8.0 to 1.8.1 by @dependabot in #160
- maintenance: dependabot by @g105b in #171
- test: improve all tests by @g105b in #172
- docs: bring readme up to date by @g105b in #173
- feature: multiple tokens exposed with comma separated meta content by @g105b in #174
Full Changelog: v1.8.0...v1.9.0
Contributors
Assets 2
DOM v4
DOM v3
PHP.Gt/Dom is now upgraded to v3, which brings a lot of improvements to the compatibility with W3C spec. The good news is that the existing functionality isn't changed at all, so the one single change that was needed to make Csrf compatible with this new version was to drop the saveHTML() function call of the Document object and replace it with a string cast.
Have fun!
CI and type safety improvements
This patch release includes two improvements: 1) CI is handled by Github Actions now - you can check out the build history at https://github.com/PhpGt/Csrc/actions 2) PHPStan level 6 has been applied to the code, meaning certain type hints have been improved for greater readability and future maintainability.
Have fun!
HTMLDocumentProtector returns token once generated
This library doesn't get many releases because of it's simplicity, but today we're releasing a simple change as an improvement that WebEngine will take advantage of straight away.
The protectAndInject function of the HTMLDocumentProtector now returns the token it generates, which will be used to send the token as a response header in the WebEngine's dispatcher.
The purpose of this change is simply to make client-side development slightly easier when dealing with CSRF tokens, specifically when making POST requests, such as when uploading a file using the browser's fetch API.
Random bytes
Utilising PHP's inbuilt random_bytes function allows us to drop the large dependency tree that came with random_lib that we were depending on before. This makes a significant improvement to the amount of dependencies that are shipped along with WebEngine.
The standard "asArray" function is added in this release too, increasing consistency with other PhpGt repositories.
Only protect POST requests
By default this library was protecting against all types of incoming request, by injecting the token into all forms on all pages. However, not only is protecting against CSRF attacks on GET requests not necessary, it can actually cause issues by exposing CSRF tokens in the URL when forms are submitted.
This lead to issues with browsers back/forward buttons triggering expired tokens, which is not expected behaviour of any sort of application.
HTMLDocumentProtector only protects POST forms
Up to this point, HTMLDocumentProtector's protectAndInject method added CSRF tokens to all forms, regardless of method.
Having CSRF tokens on GET requests doesn't lead to a good user experience (and is not protecting you against anything). Once a form is submitted with a GET request, the token is added to the URL, which means that visiting the URL again (or simply refreshing the browser) causes the protection to throw an exception because the token has already been consumed.
There is no need to protect against CSRF on GET requests anyway, because GET requests should never affect the state of an application.
Removed mixtures of static/non-static members
An important point in the styleguide is to never mix static and non-static members within the same class.
While the code itself worked fine, the problems were made apparent when PHPUnit runs tests concurrently -- it became difficult to understand having state encapsulated within an object for one property when shared amongst all objects for another.
Because of the slight change to API, this release is a minor version increase as opposed to a patch.
Full test coverage
As part of the effort of getting the codebase 100% tested, many small changes have been made which are all very minor.
There is one more backwards-breaking change planned which will be released in 1.3.0.