Merge pull request #649 from skipperbent/feature-csrfverifier

[!!!] CsrfVerifier changes

src/Pecee/Http/Middleware/BaseCsrfVerifier.php

@@ -17,13 +17,13 @@ class BaseCsrfVerifier implements IMiddleware
      * For example: /admin/*
      * @var array|null
      */
-    protected ?array $except = null;
+    protected array $except = [];
 
     /**
      * Urls to include. Can be used to include urls from a certain path.
      * @var array|null
      */
-    protected ?array $include = null;
+    protected array $include = [];
 
     /**
      * @var ITokenProvider
@@ -38,6 +38,23 @@ class BaseCsrfVerifier implements IMiddleware
         $this->tokenProvider = new CookieTokenProvider();
     }
 
+    protected function isIncluded(Request $request): bool
+    {
+        if (count($this->include) > 0) {
+            foreach ($this->include as $includeUrl) {
+                $includeUrl = rtrim($includeUrl, '/');
+                if ($includeUrl[strlen($includeUrl) - 1] === '*') {
+                    $includeUrl = rtrim($includeUrl, '*');
+                    return $request->getUrl()->contains($includeUrl);
+                }
+
+                return ($includeUrl === rtrim($request->getUrl()->getRelativeUrl(false), '/'));
+            }
+        }
+
+        return false;
+    }
+
     /**
      * Check if the url matches the urls in the except property
      * @param Request $request
@@ -45,11 +62,11 @@ class BaseCsrfVerifier implements IMiddleware
      */
     protected function skip(Request $request): bool
     {
-        if ($this->except === null || count($this->except) === 0) {
+        if (count($this->except) === 0) {
             return false;
         }
 
-        foreach($this->except as $url) {
+        foreach ($this->except as $url) {
             $url = rtrim($url, '/');
             if ($url[strlen($url) - 1] === '*') {
                 $url = rtrim($url, '*');
@@ -60,20 +77,9 @@ class BaseCsrfVerifier implements IMiddleware
 
             if ($skip === true) {
 
-                if(is_array($this->include) === true && count($this->include) > 0) {
+                $skip = !$this->isIncluded($request);
-                    foreach($this->include as $includeUrl) {
-                        $includeUrl = rtrim($includeUrl, '/');
-                        if ($includeUrl[strlen($includeUrl) - 1] === '*') {
-                            $includeUrl = rtrim($includeUrl, '*');
-                            $skip = !$request->getUrl()->contains($includeUrl);
-                            break;
-                        }
 
-                        $skip = !($includeUrl === rtrim($request->getUrl()->getRelativeUrl(false), '/'));
+                if ($skip === false) {
-                    }
-                }
-
-                if($skip === false) {
                     continue;
                 }
 
@@ -92,12 +98,11 @@ class BaseCsrfVerifier implements IMiddleware
      */
     public function handle(Request $request): void
     {
-        if ($this->skip($request) === false && $request->isPostBack() === true) {
+        if ($this->skip($request) === false && ($request->isPostBack() === true || $this->isIncluded($request) === true)) {
 
             $token = $request->getInputHandler()->value(
                 static::POST_KEY,
                 $request->getHeader(static::HEADER_KEY),
-                Request::$requestTypesPost
             );
 
             if ($this->tokenProvider->validate((string)$token) === false) {

tests/Pecee/SimpleRouter/Dummy/CsrfVerifier/DummyCsrfVerifier.php

@@ -2,12 +2,12 @@
 
 class DummyCsrfVerifier extends \Pecee\Http\Middleware\BaseCsrfVerifier {
 
-    protected ?array $except = [
+    protected array $except = [
         '/exclude-page',
         '/exclude-all/*',
     ];
 
-    protected ?array $include = [
+    protected array $include = [
         '/exclude-all/include-page',
     ];