Download the PHP package tigerwill90/xsrf-middleware without Composer

On this page you can find all versions of the php package tigerwill90/xsrf-middleware. It is possible to download/install these versions without Composer. Possible dependencies are resolved automatically.

FAQ

After the download, you have to make one include require_once('vendor/autoload.php');. After that you have to import the classes with use statements.

Example:
If you use only one package a project is not needed. But if you use more then one package, without a project it is not possible to import the classes with use statements.

In general, it is recommended to use always a project to download your libraries. In an application normally there is more than one library needed.
Some PHP packages are not free to download and because of that hosted in private repositories. In this case some credentials are needed to access such packages. Please use the auth.json textarea to insert credentials, if a package is coming from a private repository. You can look here for more information.

  • Some hosting areas are not accessible by a terminal or SSH. Then it is not possible to use Composer.
  • To use Composer is sometimes complicated. Especially for beginners.
  • Composer needs much resources. Sometimes they are not available on a simple webspace.
  • If you are using private repositories you don't need to share your credentials. You can set up everything on our site and then you provide a simple download link to your team member.
  • Simplify your Composer build process. Use our own command line tool to download the vendor folder as binary. This makes your build process faster and you don't need to expose your credentials for private repositories.
Please rate this library. Is it a good library?

Example code of tigerwill90/xsrf-middleware

Informations about the package xsrf-middleware

Latest Stable Version Latest Unstable Version Build Status codecov

PSR-7 & PSR-15 : CSRF Protection alternative for JWT/Branca Authentication token

Csrf protection based on double submit pattern, cookie - JWT/Branca alternative.

It is based on PSR-7 JWT Authentication Middleware from Tuupola. This middleware is designed to work with JWT/Branca Authentication method and can be used with any framework using PSR-7 or PSR-15 style middlewares (since v1.1.0). It has been tested with Slim Framework.

This middleware does not provide ways to generate Branca/JWT token. However you can find all you needs for generate token with links bellow.

The goal is to protect rest api again Cross-site request forgery attak, using double submit pattern (stateless).

How it's work ?

Sometimes you want save your Jwt/Branca token in a http only cookie. Since it's not possible to grab it, your payload content is safe. It's particularly true for JWT who have no-encrypted payload. BUT, this protection expose your api to CSRF attack.

When a user authenticate to a site

When an authenticated api consumer want access to your api, you need to attach the anti-csrf token as

For all unsafe operation [POST | PUT | PATCH | DELETE] to you api, the middleware inspect both token and JWT or Branca in http-only cookie to check if value match and return 401 status if not.

Dependencies

Install

`

Usage

Configuration options are passed as an array. There is no mandatory parameter.

When a request is made, the middleware inspect both token and cookie to check if value match. If cookie or token is not found, the server will respond with 401 Unauthorized

Optional parameters

Path

The optional path parameter allows you to specify which ressources of your api is protected by the double submit pattern. It can be either a string or an array. You do not need to specify each URL.

Default parameter is /

In this example, everything starting with /api will be protected.

Passthrough

The optional passthrough parameter allows you to specify an exceptions to path parameter. It can be either a string or an array.

Default parameter is null

In this example, everything starting with /api and /admin will be protected, except /api/orders

AntiCsrf

The optional anticsrf parameter allow you to specify the name of your anti-csrf cookie, header or parameter.

Default parameter is xCsrf

In this example, if the cookie, header or request parameter "xCsrf" exist, the middleware will compare his value with the specified JWT/Branca token claim value.

Token

According to PSR-7 JWT Authentication Middleware documentation, when the token is decoded successfully and authentication succees, the contents of decoded token is saved as attribute to the $request. The optional token parameter allows you to specify the attribute name of JWT/Branca token that the middleware needs to find in $request.

Default parameter is token

Payload

Alternatively you can pass the contents of decoded token in the optional payload parameter.

Default value is null ` [2017-12-06 01:14:05] [WARNING]: Payload not found in parameter [2017-12-06 01:14:05] [DEBUG]: Token and cookie don't match, access denied !

phpunit



### License

The MIT License (MIT). Please see [License File](LICENSE.md) for more information.

All versions of xsrf-middleware with dependencies

PHP Build Version
Package Version
Requires php Version ^7.1
dflydev/fig-cookies Version ^1.0
psr/log Version ^1.0
psr/http-server-middleware Version ^1.0
psr/http-message Version ^1.0
tuupola/callable-handler Version ^0.3
tuupola/http-factory Version ^0.3
rybakit/msgpack Version ^v0.2
roave/security-advisories Version dev-master
Composer command for our command line client (download client) This client runs in each environment. You don't need a specific PHP version etc. The first 20 API calls are free. Standard composer command

The package tigerwill90/xsrf-middleware contains the following files

Loading the files please wait ....