Enjoys\Forms\Elements\Csrf

Complexity

Total Complexity

8

Size/Duplication

Total Lines	77
Duplicated Lines	0 %

Test Coverage

Coverage

100%

Importance

Changes	2
Bugs	1	Features	0

5 Methods

Rating	Name	Duplication	Size	Complexity
A	__construct()	0	19	2
A	getCsrfToken()	0	3	1
A	getCsrfSecret()	0	9	2
A	prepare()	0	11	2
A	generateSecret()	0	7	1

<?php

declare(strict_types=1);

namespace Enjoys\Forms\Elements;

use Enjoys\Forms\Exception\CsrfAttackDetected;
use Enjoys\Forms\Exception\ExceptionRule;
use Enjoys\Forms\Form;
use Enjoys\Forms\Rules;
use Enjoys\Session\Session;

/**
 * Включает защиту от CSRF.
 * Сross Site Request Forgery — «Подделка межсайтовых запросов», также известен как XSRF
 */
class Csrf extends Hidden
{
    /**
     * @throws ExceptionRule
     * @throws \Exception
     */
    public function __construct(private Session $session)
    {
        $csrfSecret = $this->getCsrfSecret();
        $token = $this->getCsrfToken($csrfSecret);


        parent::__construct(Form::_TOKEN_CSRF_, $token);

        $this->addRule(
            Rules::CALLBACK,
            'CSRF Attack detected',
            [
                function (string $key) {
                    if (password_verify($key, $this->getRequest()->getPostData(Form::_TOKEN_CSRF_, ''))) {

Enjoys\Forms\Form::_TOKEN_CSRF_ of type string is incompatible with the type Enjoys\T expected by parameter $key of Enjoys\ServerRequestWrapper::getPostData().

It seems like $this->getRequest()->getPostData(Enjoys\Forms\Form::_TOKEN_CSRF_, '') can also be of type null; however, parameter $hash of password_verify() does only seem to accept string, maybe add an additional type check?

                        return true;
                    }
                    throw new CsrfAttackDetected('CSRF Token is invalid');
                },
                $csrfSecret
            ]
        );
    }

    /**
     * @return true|void
     */
    public function prepare()
    {
        if (!in_array($this->getForm()->getMethod(), ['POST', 'PUT', 'DELETE', 'PATCH'])) {
            //удаляем элемент, если был заранее создан
            //$this->getForm()->removeElement($this->getForm()->getElement(\Enjoys\Forms\Form::_TOKEN_CSRF_));
            $this->getForm()->removeElement($this);

            //возвращаем true, чтобы не добавлять элемент.
            return true;
        }
        $this->unsetForm();
    }

    /**
     * @throws \Exception
     */
    private function getCsrfSecret(): string
    {
        $secret = (string) $this->session->get('csrf_secret');

        if (empty($secret)) {
            $secret = $this->generateSecret();
        }

        return $secret;
    }



    public function getCsrfToken(string $secret): string
    {
        return password_hash($secret, PASSWORD_DEFAULT);

The expression return password_hash($secret, Enjoys\Forms\Elements\PASSWORD_DEFAULT) could return the type null which is incompatible with the type-hinted return string. Consider adding an additional type-check to rule them out.

    }

    /**
     * @return string
     * @throws \Exception
     */
    private function generateSecret(): string
    {
        $secret = base64_encode(random_bytes(32));
        $this->session->set([
            'csrf_secret' => $secret
        ]);
        return $secret;
    }
}