public
|
#
__construct( boolean $useCookies = true )
Creates a new instance of CSRFHandler.
Creates a new instance of CSRFHandler.
When creating a new instance, it will be initialized with either cookie
storage or session storage depending on whether you pass true or false
as the constructor parameter (defaults to cookie). The actual token won't
be loaded until the token is validated, though. By default, the handler
will also use post and header data to look for submitted tokens.
Parameters
- $useCookies
- True for cookie storage, false for session storage
|
public
|
#
setGenerator( Riimu\Kit\SecureRandom\SecureRandom $generator )
Sets the random generator for generating secure random bytes.
Sets the random generator for generating secure random bytes.
Parameters
- $generator
- Secure random generator
|
public
Riimu\Kit\SecureRandom\SecureRandom
|
#
getGenerator( )
Returns the current secure random generator.
Returns the current secure random generator.
Returns
Riimu\Kit\SecureRandom\SecureRandom
Current secure random generator
|
public
|
#
setStorage( Riimu\Kit\CSRF\Storage\TokenStorage $storage )
Sets the persistent storage for the CSRF token.
Sets the persistent storage for the CSRF token.
The token storage should be set before you create new tokens or attempt
to validate tokens, because the storage is only used the first time the
token is needed.
Parameters
- $storage
- Persistent storage handler
|
public
|
#
setSources( array $sources )
Sets the possible sources for submitted token.
Sets the possible sources for submitted token.
Multiple sources can be added using an array. The handler will look for
the token from the sources in the order they appear in the array.
Parameters
- $sources
- List of token sources.
|
public
boolean
|
#
isValidatedRequest( )
Tells if the request method indicates that the CSRF token should be validated.
Tells if the request method indicates that the CSRF token should be validated.
Returns
boolean
True if the token should be validated, false if not
|
public
boolean
|
#
validateRequest( boolean $throw = false )
Validates the csrf token in the HTTP request.
Validates the csrf token in the HTTP request.
This method should be called in the beginning of the request. By default,
POST, PUT and DELETE requests will be validated for a valid CSRF token.
If the request does not provide a valid CSRF token, this method will
kill the script and send a HTTP 400 (bad request) response to the
browser.
This method also accepts a single parameter than can be either true or
false. If the parameter is set to true, this method will throw an
InvalidCSRFTokenException instead of killing the script if no valid CSRF
token was provided in the request.
This method will always trigger the token storage. If you are using the
cookie storage, this method must be called before the headers have been
sent. If you are using the session storage instead, you must start the
session before calling this method.
Parameters
- $throw
- True to throw an exception on invalid token, false to kill the script
Returns
boolean
This method always returns true
Throws
|
protected
|
#
killScript( )
Kills the script execution and sends the appropriate header.
Kills the script execution and sends the appropriate header.
Codecoverageignore
|
public
boolean
|
#
validateRequestToken( )
Validates the token sent in the request.
Validates the token sent in the request.
Returns
boolean
True if the token sent in the request is valid, false if not
Throws
|
public
boolean
|
#
validateToken( string $token )
Validates the csrf token.
Validates the csrf token.
The token must be provided as a base64 encoded string which also includes
the token encryption key. In other words, you should pass this method the
exact same string that has been returned by the getToken() method.
Parameters
- $token
- The base64 encoded token provided by getToken()
Returns
boolean
True if the token is valid, false if it is not
Throws
|
public
string
|
#
getToken( )
Generates a new secure base64 encoded csrf token.
Generates a new secure base64 encoded csrf token.
This method returns a new string every time it is called, because it
always generates a new encryption key for the token. Of course, each of
these tokens is a valid CSRF token, unless the regenerateToken() method
is called.
Returns
string
Base64 encoded CSRF token
Throws
|
public
Riimu\Kit\CSRF\CSRFHandler
|
#
regenerateToken( )
Regenerates the actual CSRF token.
Regenerates the actual CSRF token.
After this method has been called, any token that has been previously
generated by getToken() is no longer considered valid. It is highly
recommended to regenerate the CSRF token after any user authentication.
Returns
Throws
|
public
string
|
#
getTrueToken( )
Returns the current actual CSRF token.
Returns the current actual CSRF token.
This returns the current actual 32 byte random string that is used to
validate the CSRF tokens submitted in requests.
Returns
string
The current actual CSRF token
Throws
|
public
string|false
|
#
getRequestToken( )
Returns the token sent in the request.
Returns the token sent in the request.
Returns
string|false
The token sent in the request or false if there is none
|