Slim CSRF Protection
Protection against CSRF in Slim 3 framework.
Uses Slim Secure Session Middleware to manage session and
automatically creates HTML form hidden input for Twig-View and PHP-View., (*1)
CSRF protection will be applied to POST, PUT, DELETE and PATCH requests., (*2)
Installation
composer require adbario/slim-csrf
Usage
Depency Container
Inject session helper to application container (read more about session helper):, (*3)
$container['session'] = function ($container) {
return new \Adbar\Session(
$container->get('settings')['session']['namespace']
);
};
Inject CSRF protection in application container:, (*4)
$container['csrf'] = function ($c) {
return new \Adbar\Slim\Csrf($c->get('session'));
};
If you use Twig-View or PHP-View:, (*5)
$container['csrf'] = function ($c) {
return new \Adbar\Slim\Csrf(
$c->get('session'),
$c->get('view')
);
};
Other dependencies
CSRF protection needs Slim Secure Session Middleware.
Inject settings for session middleware and register it:, (*6)
$app->add(new \Adbar\SessionMiddleware($container->get('settings')['session']));
Register for all routes
To use CSRF protection on all routes, register it as a middleware before session middleware:, (*7)
/** Csrf */
$app->add($app->getContainer()->get('csrf'));
/** Session */
$app->add(new \Adbar\SessionMiddleware($container->get('settings')['session']));
Register per route
To use CSRF protection on specific routes, add it like this:, (*8)
$app->get('/form', function ($request, $response) {
// CSRF token will be added
return $this->view->render($response, 'form.twig');
})->add($container->get('csrf'));
$app->post('/form', function ($request, $response) {
// If CSRF token was valid, code after this will run
})->add($container->get('csrf'));
Twig-View
Ready-to-use HTML form hidden input will be injected in Twig-View, to use it in your view:, (*9)
<form method="post">
{{ csrf|raw }}
Username
<input type="text" name="username">
<input type="submit" value="Send">
</form>
PHP-View
Ready-to-use HTML form hidden input will be injected also in Twig-View, to use it in your view:, (*10)
<form method="post">
<?= $csrf ?>
Username
<input type="text" name="username">
<input type="submit" value="Send">
</form>
Other template engines
You can easily use CSRF protection on other template engines as well. Inject to container without view:, (*11)
$container['csrf'] = function () {
return new \Adbar\Slim\Csrf;
};
Generate HTML hidden input field:, (*12)
$app->get('/form', function ($request, $response) {
// Generate form field
$csrf = $this->csrf->generateForm();
// Inject form field to your view...
});
Custom error on CSRF token failure
By default, CSRF protection shows simple message on failure:, (*13)
Invalid security token.
You can render a custom template if CSRF token isn't valid, edit container:, (*14)
$container['csrf'] = function ($c) {
$csrf = new \Adbar\Slim\Csrf(
$c->get('session'),
$c->get('view')
);
$csrf->setTokenError(function ($request, $response, $next) use ($c) {
return $c->view->render($response->withStatus(400), 'csrf_error.twig');
});
return $csrf;
};
If you just want to edit simple message:, (*15)
$container['csrf'] = function ($c) {
$csrf = new \Adbar\Slim\Csrf(
$c->get('session'),
$c->get('view')
);
$csrf->setTokenErrorMessage('This is my custom error message.');
return $csrf;
};
License
MIT license, (*16)
Wallogit.com
