CsrfGuard
The PSR-15 double-submit CSRF guard — the CRM's `OAuthStateGuard` generalized into the pipeline. A state token is issued into an httpOnly, `SameSite=Lax` cookie and must be echoed back on every state-changing request, in the configured form field or header. The guard compares the two timing-safe with {@see hash_equals()} and refuses (403 {@see CsrfDeniedException}) on any mismatch or absence. Safe, side-effect-free methods (`GET`, `HEAD`, `OPTIONS`, `TRACE`) are not checked. It reads everything from the PSR-7 request — {@see ServerRequestInterface::getCookieParams()} for the issued token, the header or parsed body for the submitted one — so it is fully testable without real cookies. It issues no cookie itself: minting and setting the state cookie is the host's job; this guard only verifies. Neither token value is ever echoed into the denial.
CsrfGuard::__construct()
public function __construct(string $cookieName, string $field):Parameters
| Name | Type | Description |
|---|---|---|
| $cookieName | string | the cookie the issued state token lives in |
| $field | string | the form field / header name the request echoes the token back in |
CsrfGuard::process()
public function process(Psr\Http\Message\ServerRequestInterface $request, Psr\Http\Server\RequestHandlerInterface $handler): Psr\Http\Message\ResponseInterfaceVerifies the double-submit state token on a state-changing request and passes it on, or throws {@see CsrfDeniedException} (403) when the submitted token is absent or does not match. Safe methods pass through unchecked.
Parameters
| Name | Type | Description |
|---|---|---|
| $request | Psr\Http\Message\ServerRequestInterface | |
| $handler | Psr\Http\Server\RequestHandlerInterface |