Merge pull request #270 from dotkernel/issue-184

Issue #184: Implemented `CSRF` protection in all forms

Author: arhimede

composer.json

@@ -48,6 +48,7 @@
         "laminas/laminas-config-aggregator": "^1.14.0",
         "laminas/laminas-i18n": "^2.26.0",
         "laminas/laminas-math": "^3.7.0",
+        "laminas/laminas-session": "^2.21.0",
         "mezzio/mezzio": "^3.18.0",
         "mezzio/mezzio-authorization-rbac": "^1.7.0",
         "mezzio/mezzio-cors": "^1.11.1",

public/css/app.css

@@ -38,6 +38,8 @@
 use Psr\Http\Message\ResponseInterface;
 use Throwable;
 
+use function assert;
+
 class AdminController extends AbstractActionController
 {
     use ServerRequestAwareTrait;
@@ -162,42 +164,54 @@ public function editAction(): ResponseInterface
 
     public function deleteAction(): ResponseInterface
     {
-        if (! $this->isPost()) {
-            return new JsonResponse(
-                ['message' => Message::METHOD_NOT_ALLOWED],
-                StatusCodeInterface::STATUS_METHOD_NOT_ALLOWED
-            );
-        }
-
         $uuid = $this->getAttribute('uuid');
         if (empty($uuid)) {
             return new JsonResponse(
                 ['message' => Message::ADMIN_NOT_FOUND],
                 StatusCodeInterface::STATUS_NOT_FOUND
             );
         }
+        $admin = $this->adminService->getAdminRepository()->findOneBy(['uuid' => $uuid]);
+        assert($admin instanceof Admin);
 
         $form = new AdminDeleteForm();
-        $form->setData($this->getPostParams());
-        if (! $form->isValid()) {
-            return new JsonResponse(
-                ['message' => $this->forms->getMessages($form)],
-                StatusCodeInterface::STATUS_BAD_REQUEST
-            );
-        }
+        $form->setAttribute('id', 'deleteAdminForm');
+        $form->setAttribute('method', RequestMethodInterface::METHOD_POST);
+        $form->setAttribute(
+            'action',
+            $this->router->generateUri('admin', ['action' => 'delete', 'uuid' => $uuid])
+        );
 
-        /** @var Admin $admin */
-        $admin = $this->adminService->getAdminRepository()->findOneBy(['uuid' => $uuid]);
-        try {
-            $this->adminService->getAdminRepository()->deleteAdmin($admin);
-            return new JsonResponse(['message' => Message::ADMIN_DELETED_SUCCESSFULLY]);
-        } catch (Throwable $e) {
-            $this->logErrors($e, Message::DELETE_ADMIN);
-            return new JsonResponse(
-                ['message' => Message::AN_ERROR_OCCURRED],
-                StatusCodeInterface::STATUS_INTERNAL_SERVER_ERROR
-            );
+        if ($this->isPost()) {
+            $form->setData($this->getPostParams());
+            if (! $form->isValid()) {
+                return new JsonResponse(
+                    ['message' => $this->forms->getMessages($form)],
+                    StatusCodeInterface::STATUS_BAD_REQUEST
+                );
+            }
+
+            try {
+                $this->adminService->getAdminRepository()->deleteAdmin($admin);
+                return new JsonResponse(['message' => Message::ADMIN_DELETED_SUCCESSFULLY]);
+            } catch (Throwable $e) {
+                $this->logErrors($e, Message::DELETE_ADMIN);
+                return new JsonResponse(
+                    ['message' => Message::AN_ERROR_OCCURRED],
+                    StatusCodeInterface::STATUS_INTERNAL_SERVER_ERROR
+                );
+            }
         }
+
+        return new JsonResponse([
+            'data' => $this->template->render(
+                'admin::delete',
+                [
+                    'admin' => $admin,
+                    'form'  => $form->prepare(),
+                ]
+            ),
+        ]);
     }
 
     public function listAction(): ResponseInterface
@@ -216,9 +230,7 @@ public function listAction(): ResponseInterface
     public function manageAction(): ResponseInterface
     {
         return new HtmlResponse(
-            $this->template->render('admin::list', [
-                'form' => new AdminDeleteForm(),
-            ])
+            $this->template->render('admin::list')
         );
     }
 

public/js/app.js

@@ -5,9 +5,11 @@
 namespace Frontend\Admin\Form;
 
 use Frontend\Admin\InputFilter\AccountInputFilter;
+use Laminas\Form\Element\Csrf;
 use Laminas\Form\Form;
 use Laminas\Form\FormInterface;
 use Laminas\InputFilter\InputFilterInterface;
+use Laminas\Session\Container;
 
 /** @template-extends Form<FormInterface> */
 class AccountForm extends Form
@@ -59,15 +61,6 @@ public function init(): void
             ],
         ], ['priority' => -11]);
 
-        $this->add([
-            'name'    => 'account_csrf',
-            'type'    => 'csrf',
-            'options' => [
-                'timeout' => 3600,
-                'message' => 'The form CSRF has expired and was refreshed. Please resend the form',
-            ],
-        ]);
-
         $this->add([
             'name'       => 'submit',
             'type'       => 'submit',
@@ -76,6 +69,13 @@ public function init(): void
                 'value' => 'Update account',
             ],
         ], ['priority' => -100]);
+
+        $this->add(new Csrf('accountCsrf', [
+            'csrf_options' => [
+                'timeout' => 3600,
+                'session' => new Container(),
+            ],
+        ]));
     }
 
     public function getInputFilter(): InputFilterInterface

src/Admin/src/Controller/AdminController.php

@@ -5,9 +5,11 @@
 namespace Frontend\Admin\Form;
 
 use Frontend\Admin\InputFilter\AdminDeleteInputFilter;
+use Laminas\Form\Element\Csrf;
 use Laminas\Form\Form;
 use Laminas\Form\FormInterface;
 use Laminas\InputFilter\InputFilterInterface;
+use Laminas\Session\Container;
 
 /** @template-extends Form<FormInterface> */
 class AdminDeleteForm extends Form
@@ -63,6 +65,13 @@ public function init(): void
                 'value' => 'Delete',
             ],
         ]);
+
+        $this->add(new Csrf('adminDeleteCsrf', [
+            'csrf_options' => [
+                'timeout' => 3600,
+                'session' => new Container(),
+            ],
+        ]));
     }
 
     public function getInputFilter(): InputFilterInterface

src/Admin/src/Form/AccountForm.php

@@ -6,9 +6,11 @@
 
 use Frontend\Admin\Entity\Admin;
 use Frontend\Admin\InputFilter\AdminInputFilter;
+use Laminas\Form\Element\Csrf;
 use Laminas\Form\Form;
 use Laminas\Form\FormInterface;
 use Laminas\InputFilter\InputFilterInterface;
+use Laminas\Session\Container;
 
 /** @template-extends Form<FormInterface> */
 class AdminForm extends Form
@@ -111,6 +113,13 @@ public function init(): void
                 ],
             ],
         ], ['priority' => -30]);
+
+        $this->add(new Csrf('adminManageCsrf', [
+            'csrf_options' => [
+                'timeout' => 3600,
+                'session' => new Container(),
+            ],
+        ]));
     }
 
     public function getInputFilter(): InputFilterInterface

src/Admin/src/Form/AdminDeleteForm.php

@@ -5,9 +5,11 @@
 namespace Frontend\Admin\Form;
 
 use Frontend\Admin\InputFilter\ChangePasswordInputFilter;
+use Laminas\Form\Element\Csrf;
 use Laminas\Form\Form;
 use Laminas\Form\FormInterface;
 use Laminas\InputFilter\InputFilterInterface;
+use Laminas\Session\Container;
 
 /** @template-extends Form<FormInterface> */
 class ChangePasswordForm extends Form
@@ -59,15 +61,6 @@ public function init(): void
             ],
         ]);
 
-        $this->add([
-            'name'    => 'change_password_csrf',
-            'type'    => 'csrf',
-            'options' => [
-                'timeout' => 3600,
-                'message' => 'The form CSRF has expired and was refreshed. Please resend the form',
-            ],
-        ]);
-
         $this->add([
             'name'       => 'submit',
             'type'       => 'submit',
@@ -76,6 +69,13 @@ public function init(): void
                 'value' => 'Change Password',
             ],
         ], ['priority' => -100]);
+
+        $this->add(new Csrf('changePasswordCsrf', [
+            'csrf_options' => [
+                'timeout' => 3600,
+                'session' => new Container(),
+            ],
+        ]));
     }
 
     public function getInputFilter(): InputFilterInterface

src/Admin/src/Form/AdminForm.php

@@ -5,12 +5,14 @@
 namespace Frontend\Admin\Form;
 
 use Frontend\Admin\InputFilter\LoginInputFilter;
+use Laminas\Form\Element\Csrf;
 use Laminas\Form\Element\Password;
 use Laminas\Form\Element\Submit;
 use Laminas\Form\Element\Text;
 use Laminas\Form\Form;
 use Laminas\Form\FormInterface;
 use Laminas\InputFilter\InputFilterInterface;
+use Laminas\Session\Container;
 
 /** @template-extends Form<FormInterface> */
 class LoginForm extends Form
@@ -66,6 +68,13 @@ public function init(): void
             ],
             'type'       => Submit::class,
         ]);
+
+        $this->add(new Csrf('loginCsrf', [
+            'csrf_options' => [
+                'timeout' => 3600,
+                'session' => new Container(),
+            ],
+        ]));
     }
 
     public function getInputFilter(): InputFilterInterface

src/Admin/src/Form/ChangePasswordForm.php

@@ -4,6 +4,7 @@
 
 namespace Frontend\Admin\InputFilter;
 
+use Frontend\App\InputFilter\Input\CsrfInput;
 use Laminas\Filter\StringTrim;
 use Laminas\InputFilter\Input;
 use Laminas\InputFilter\InputFilter;
@@ -57,5 +58,7 @@ public function init(): void
             'message' => '<b>Last name</b> must be max 150 characters long.',
         ]);
         $this->add($lastName);
+
+        $this->add(new CsrfInput('accountCsrf', true));
     }
 }