yiisoft / csrf Goto Github PK

Usually the middleware is enabled globally. Need to add a way to exclude certain URLs or include only certain URL.

https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#employing-custom-request-headers-for-ajaxapi

For use this implementation CSRF in yii app need provider for make CsrfToken::initialize() as here.

Suggestion:

1. Rewrite SessionCsrfTokenStorage.php to NativeSessionCsrfTokenStorage with use $_SESSION.

2. Create new package yiisoft/yii-csrf with:

• Config providers.php.
• Provider for initialize CsrfToken.
• Implementation CsrfTokenStorageInterface with use yii sessions.

Why generate a token here: ?

If you can generate here:

In this case, the token will be generated on the first use, not on the first request.

We currently use syncronizer pattern from https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#synchronizer-token-pattern. It is stateful. Switching to any stateless pattern would make starting a session obsolete.

See #12

What steps will reproduce the problem?

http=>https

yiisoft/yii-web dependency needs to be replaced with yiisoft/session after yiisoft/session will be separated from yiisoft/yii-web (yiisoft/yii-web#288)

Readme should contain docs.

In the documentation you refer to OWASP: now only Synchronizer Token Pattern and Double Submit Cookie are actual there. HMAC Based Token Pattern and Encryption based Token Pattern were removed.

It should be understood that the Double Submit Cookie will require the configuration to use Yiisoft\Cookies\CookieMiddleware.

But maybe you shouldn't add the Double Submit Cookie pattern, because it seems to me that this thing is for rare use.

Steps to update:

1) To remove HMAC Based Token Pattern
2) To add Double Submit Cookie processing logic to the middleware (optional)
3) To write something like DoubleSubmitCsrfToken (optional)
4) To update the documentation

Draft with the Double Submit Cookie pattern :

final class CsrfMiddleware implements MiddlewareInterface
{
...

private bool $sendCookie = false;

...

public function process(ServerRequestInterface $request, RequestHandlerInterface $handler): ResponseInterface
{
    if ($this->token instanceof DoubleSubmitCsrfToken) {
        $cookieValues = $request->getCookieParams();
        $cookieValue = $cookieValues[$this->parameterName] ?? null;
        
        // the setValue() method is needed to validate the value later, if necessary
        // for example, "return hash_equals($this->getValue(), $token);"
        $cookieValue ? $this->token->setValue($cookieValue) : $this->sendCookie = true;
    }

    if (!$this->validateCsrfToken($request)) {
        $response = $this->responseFactory->createResponse(Status::UNPROCESSABLE_ENTITY);
        $response->getBody()->write(Status::TEXTS[Status::UNPROCESSABLE_ENTITY]);
        return $response;
    }

    $response = $handler->handle($request);

    return $this->sendCookie ?
           $this->token->getCsrfCookie($this->parameterName)->addToResponse($response) :
           $response;
}

Why are checks made before the validateCsrfToken method? OWASP requires the cookie to be set the first time the user visits the site: "When a user visits (even before authenticating to prevent login CSRF), the site should generate a (cryptographically strong) pseudorandom value and set it as a cookie on the user's machine separate from the session identifier."