mirror of
https://github.com/skipperbent/simple-php-router.git
synced 2026-07-11 21:02:15 +00:00
Merge branch 'v4-development' of github.com:skipperbent/simple-php-router into v4-development
This commit is contained in:
@@ -12,7 +12,17 @@ class BaseCsrfVerifier implements IMiddleware
|
|||||||
public const POST_KEY = 'csrf_token';
|
public const POST_KEY = 'csrf_token';
|
||||||
public const HEADER_KEY = 'X-CSRF-TOKEN';
|
public const HEADER_KEY = 'X-CSRF-TOKEN';
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Urls to ignore. You can use * to exclude all sub-urls on a given path.
|
||||||
|
* For example: /admin/*
|
||||||
|
* @var array|null
|
||||||
|
*/
|
||||||
protected $except;
|
protected $except;
|
||||||
|
/**
|
||||||
|
* Urls to include. Can be used to include urls from a certain path.
|
||||||
|
* @var array|null
|
||||||
|
*/
|
||||||
|
protected $include;
|
||||||
protected $tokenProvider;
|
protected $tokenProvider;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@@ -34,11 +44,7 @@ class BaseCsrfVerifier implements IMiddleware
|
|||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
$max = count($this->except) - 1;
|
foreach($this->except as $url) {
|
||||||
|
|
||||||
for ($i = $max; $i >= 0; $i--) {
|
|
||||||
$url = $this->except[$i];
|
|
||||||
|
|
||||||
$url = rtrim($url, '/');
|
$url = rtrim($url, '/');
|
||||||
if ($url[strlen($url) - 1] === '*') {
|
if ($url[strlen($url) - 1] === '*') {
|
||||||
$url = rtrim($url, '*');
|
$url = rtrim($url, '*');
|
||||||
@@ -48,6 +54,24 @@ class BaseCsrfVerifier implements IMiddleware
|
|||||||
}
|
}
|
||||||
|
|
||||||
if ($skip === true) {
|
if ($skip === true) {
|
||||||
|
|
||||||
|
if($this->include !== null && count($this->include) > 0) {
|
||||||
|
foreach($this->include as $includeUrl) {
|
||||||
|
$includeUrl = rtrim($includeUrl, '/');
|
||||||
|
if ($includeUrl[strlen($includeUrl) - 1] === '*') {
|
||||||
|
$includeUrl = rtrim($includeUrl, '*');
|
||||||
|
$skip = !$request->getUrl()->contains($includeUrl);
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
|
||||||
|
$skip = !($includeUrl === $request->getUrl()->getOriginalUrl());
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if($skip === false) {
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -0,0 +1,66 @@
|
|||||||
|
<?php
|
||||||
|
require_once 'Dummy/CsrfVerifier/DummyCsrfVerifier.php';
|
||||||
|
require_once 'Dummy/Security/SilentTokenProvider.php';
|
||||||
|
|
||||||
|
class CsrfVerifierTest extends \PHPUnit\Framework\TestCase
|
||||||
|
{
|
||||||
|
|
||||||
|
public function testTokenPass()
|
||||||
|
{
|
||||||
|
global $_POST;
|
||||||
|
|
||||||
|
$tokenProvider = new SilentTokenProvider();
|
||||||
|
|
||||||
|
$_POST[DummyCsrfVerifier::POST_KEY] = $tokenProvider->getToken();
|
||||||
|
|
||||||
|
TestRouter::router()->reset();
|
||||||
|
|
||||||
|
$router = TestRouter::router();
|
||||||
|
$router->getRequest()->setMethod(\Pecee\Http\Request::REQUEST_TYPE_POST);
|
||||||
|
$router->getRequest()->setUrl(new \Pecee\Http\Url('/page'));
|
||||||
|
$csrf = new DummyCsrfVerifier();
|
||||||
|
$csrf->setTokenProvider($tokenProvider);
|
||||||
|
|
||||||
|
$csrf->handle($router->getRequest());
|
||||||
|
|
||||||
|
// If handle doesn't throw exception, the test has passed
|
||||||
|
$this->assertTrue(true);
|
||||||
|
}
|
||||||
|
|
||||||
|
public function testTokenFail()
|
||||||
|
{
|
||||||
|
$this->expectException(\Pecee\Http\Middleware\Exceptions\TokenMismatchException::class);
|
||||||
|
|
||||||
|
global $_POST;
|
||||||
|
|
||||||
|
$tokenProvider = new SilentTokenProvider();
|
||||||
|
|
||||||
|
$router = TestRouter::router();
|
||||||
|
$router->getRequest()->setMethod(\Pecee\Http\Request::REQUEST_TYPE_POST);
|
||||||
|
$router->getRequest()->setUrl(new \Pecee\Http\Url('/page'));
|
||||||
|
$csrf = new DummyCsrfVerifier();
|
||||||
|
$csrf->setTokenProvider($tokenProvider);
|
||||||
|
|
||||||
|
$csrf->handle($router->getRequest());
|
||||||
|
}
|
||||||
|
|
||||||
|
public function testExcludeInclude()
|
||||||
|
{
|
||||||
|
$router = TestRouter::router();
|
||||||
|
$csrf = new DummyCsrfVerifier();
|
||||||
|
$request = $router->getRequest();
|
||||||
|
|
||||||
|
$request->setUrl(new \Pecee\Http\Url('/exclude-page'));
|
||||||
|
$this->assertTrue($csrf->testSkip($router->getRequest()));
|
||||||
|
|
||||||
|
$request->setUrl(new \Pecee\Http\Url('/exclude-all/page'));
|
||||||
|
$this->assertTrue($csrf->testSkip($router->getRequest()));
|
||||||
|
|
||||||
|
$request->setUrl(new \Pecee\Http\Url('/exclude-all/include-page'));
|
||||||
|
$this->assertFalse($csrf->testSkip($router->getRequest()));
|
||||||
|
|
||||||
|
$request->setUrl(new \Pecee\Http\Url('/include-page'));
|
||||||
|
$this->assertFalse($csrf->testSkip($router->getRequest()));
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
@@ -0,0 +1,18 @@
|
|||||||
|
<?php
|
||||||
|
|
||||||
|
class DummyCsrfVerifier extends \Pecee\Http\Middleware\BaseCsrfVerifier {
|
||||||
|
|
||||||
|
protected $except = [
|
||||||
|
'/exclude-page',
|
||||||
|
'/exclude-all/*',
|
||||||
|
];
|
||||||
|
|
||||||
|
protected $include = [
|
||||||
|
'/exclude-all/include-page',
|
||||||
|
];
|
||||||
|
|
||||||
|
public function testSkip(\Pecee\Http\Request $request) {
|
||||||
|
return $this->skip($request);
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
Reference in New Issue
Block a user