fix(http): don't cache csrf tokens in views (#1412)

brendt · web-flow · commit 9db65f0f58e1 · 2025-07-19T08:12:39.000+02:00
diff --git a/packages/http/src/Session/CsrfTokenComponent.php b/packages/http/src/Session/CsrfTokenComponent.php
diff --git a/packages/http/src/Session/x-csrf-token.view.php b/packages/http/src/Session/x-csrf-token.view.php
@@ -0,0 +1,11 @@
+<?php
+
+use Tempest\Http\Session\Session;
+
+use function Tempest\get;
+
+$name = Session::CSRF_TOKEN_KEY;
+$token = get(Session::class)->token;
+?>
+
+<input type="hidden" name="{{ $name }}" value="{{ $token }}" />
diff --git a/tests/Integration/FrameworkIntegrationTestCase.php b/tests/Integration/FrameworkIntegrationTestCase.php
@@ -219,4 +219,14 @@ protected function skipWindows(string $reason): void
 
         $this->markTestSkipped($reason);
     }
+
+    /**
+     * @template TClassName of object
+     * @param class-string<TClassName> $className
+     * @return null|TClassName
+     */
+    protected function get(string $className): ?object
+    {
+        return $this->container->get($className);
+    }
 }
diff --git a/tests/Integration/Http/CsrfTest.php b/tests/Integration/Http/CsrfTest.php
@@ -11,6 +11,7 @@
 use Tempest\Http\Session\CsrfTokenDidNotMatch;
 use Tempest\Http\Session\Session;
 use Tempest\Http\Session\VerifyCsrfMiddleware;
+use Tempest\View\ViewCache;
 use Tests\Tempest\Integration\FrameworkIntegrationTestCase;
 
 final class CsrfTest extends FrameworkIntegrationTestCase
@@ -97,13 +98,34 @@ public function test_matches_from_header(): void
 
     public function test_csrf_component(): void
     {
+        $session = $this->container->get(Session::class);
+        $session->set(Session::CSRF_TOKEN_KEY, 'test');
+
         $rendered = $this->render(<<<HTML
         <x-csrf-token />
         HTML);
 
+        $this->assertSame(
+            '<input type="hidden" name="_csrf_token" value="test">',
+            $rendered,
+        );
+    }
+
+    public function test_csrf_with_cached_view(): void
+    {
+        $this->get(ViewCache::class)->enabled = true;
+
+        $oldVersion = $this->render(<<<HTML
+        <x-csrf-token />
+        HTML);
+
         $session = $this->container->get(Session::class);
+        $session->destroy();
+
+        $newVersion = $this->render(<<<HTML
+        <x-csrf-token />
+        HTML);
 
-        $this->assertStringMatchesFormat('<input type="hidden" name="_csrf_token" value="%s">', $rendered);
-        $this->assertStringContainsString($session->token, $rendered);
+        $this->assertNotSame($oldVersion, $newVersion);
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -219,4 +219,14 @@ protected function skipWindows(string $reason): void`
`219`	`219`
`220`	`220`	`$this->markTestSkipped($reason);`
`221`	`221`	`}`
	`222`	`+`
	`223`	`+ /**`
	`224`	`+ * @template TClassName of object`
	`225`	`+ * @param class-string<TClassName> $className`
	`226`	`+ * @return null\|TClassName`
	`227`	`+ */`
	`228`	`+ protected function get(string $className): ?object`
	`229`	`+ {`
	`230`	`+ return $this->container->get($className);`
	`231`	`+ }`
`222`	`232`	`}`