enumag / csrf-route-bundle
Symfony bundle which provides a simple way to add CSRF tokens to routes
Installs: 10 964
Dependents: 0
Suggesters: 0
Security: 0
Stars: 0
Watchers: 3
Forks: 3
Type:symfony-bundle
Requires
- php: ^5.5.9|^7.0
- symfony/framework-bundle: ^3.3|^4.0
- symfony/security-csrf: ^3.3|^4.0
README
This Symfony3 bundle provides route annotation and options to secure routes against CSRF attacks and without using forms.
Installation
Use Composer to install the bundle:
composer require genedys/csrf-route-bundle
or add the following line in your composer.json
file:
"require": { ... "genedys/csrf-route-bundle": "^3.0", ... }
Then, register the bundle in your application's bundles.php file:
// bundles.php return [ // ... Genedys\CsrfRouteBundle\GenedysCsrfRouteBundle => ['all' => true], // ... ];
Configuration
Configuration reference :
genedys_csrf_route: enabled: true field_name: _token
- enabled : Enable or disable the token verification (default:
true
); - field_name : The name of the field appended to route URLs (default:
_token
).
Usage
The only thing to do to use this package is to add some configurations to the routes you want to protect.
The bundle adds a router which can append a token query parameter on route generation and a controller listener validate which validates token on called routes.
Options configuration
The bundle checks controller calls and search for a csrf_token
option. The available parameters for this options are:
token
: The token parameter name (by default_token
)intention
: The token intention. Different intentions generate different tokens (by defaultnull
which results to the route name).methods
: The HTTP method(s) when the CSRF token is validated (by defaultGET
).
# app/config/routing.yml homepage: ... options: - csrf_token: - token: '_token' - intention: null - methods: [GET]
You can also only specify the csrf_token
option to true
to use default parameters.
# app/config/routing.yml homepage: ... options: { csrf_token: true }
Annotation configuration
If you use annotations to configurate your routes, then the easiest way it to add an additionnal annotation to the sensible actions:
<?php // src Acme\DemoBundle\Controller\DefaultController.php // ... use Genedys\CsrfRouteBundle\Annotation\CsrfToken; // ... class DefaultController { // ... /** * ... * @CsrfToken */ public function sensibleAction() { //... } // ... }
Twig integration
As the bundle provides a custom router, CSRF tokens are automatically appended to url generated with path(...)
and url(...)
on Twig templates.
Routers compatibility
This bundle overrides the default Symfony router. In case you use other bundles which does the same thing (for instance JMSI18nRoutingBundle), the router integrated on this bundle works automatically as an adapter on previously configurated router. The only thing to take care is to register the GenedysCsrfRouterBundle after the bundle which overrides the router.
Credits
Created by Fabien Antoine for Genedys.
License
This bundle is under the MIT license.