Skip to content
docsv0.1.0

CsrfGuard

The PSR-15 double-submit CSRF guard — the CRM's `OAuthStateGuard` generalized into the pipeline. A state token is issued into an httpOnly, `SameSite=Lax` cookie and must be echoed back on every state-changing request, in the configured form field or header. The guard compares the two timing-safe with {@see hash_equals()} and refuses (403 {@see CsrfDeniedException}) on any mismatch or absence. Safe, side-effect-free methods (`GET`, `HEAD`, `OPTIONS`, `TRACE`) are not checked. It reads everything from the PSR-7 request — {@see ServerRequestInterface::getCookieParams()} for the issued token, the header or parsed body for the submitted one — so it is fully testable without real cookies. It issues no cookie itself: minting and setting the state cookie is the host's job; this guard only verifies. Neither token value is ever echoed into the denial.

CsrfGuard::__construct()

public function __construct(string $cookieName, string $field):

Parameters

Parameters of __construct()
NameTypeDescription
$cookieNamestringthe cookie the issued state token lives in
$fieldstringthe form field / header name the request echoes the token back in

CsrfGuard::process()

public function process(Psr\Http\Message\ServerRequestInterface $request, Psr\Http\Server\RequestHandlerInterface $handler): Psr\Http\Message\ResponseInterface

Verifies the double-submit state token on a state-changing request and passes it on, or throws {@see CsrfDeniedException} (403) when the submitted token is absent or does not match. Safe methods pass through unchecked.

Parameters

Parameters of process()
NameTypeDescription
$requestPsr\Http\Message\ServerRequestInterface
$handlerPsr\Http\Server\RequestHandlerInterface