CSRF Guards

To provide CSRF protection, we provide an abstraction, Zend\Expressive\Csrf\CsrfGuardInterface:

namespace Zend\Expressive\Csrf;

interface CsrfGuardInterface
{
    /**
     * Generate a CSRF token.
     *
     * Typically, implementations should generate a one-time CSRF token,
     * store it within the session, and return it so that developers may
     * then inject it in a form, a response header, etc.
     *
     * CSRF tokens should EXPIRE after the first hop.
     */
    public function generateToken(string $keyName = '__csrf') : string;

    /**
     * Validate whether a submitted CSRF token is the same as the one stored in
     * the session.
     *
     * CSRF tokens should EXPIRE after the first hop.
     */
    public function validateToken(string $token, string $csrfKey = '__csrf') : bool;
}

Because guards will be backed by different mechanisms, we provide CsrfMiddleware that will generate the guard based on configuration, and inject it into the request passed to later middleware; this approach allows you to separate generation from the guard instance (which is based on request data) from your own middleware.

Once you have a concrete implementation, you will generally:

  • Generate a token in middleware displaying a form, and
  • Validate a token in middleware validating that form.

As an example, we could have middleware displaying a form as follows:

namespace Books;

use Psr\Http\Message\ResponseInterface;
use Psr\Http\Message\ServerRequestInterface;
use Psr\Http\Server\MiddlewareInterface;
use Psr\Http\Server\RequestHandlerInterface;
use Zend\Diactoros\Response\HtmlResponse;
use Zend\Expressive\Csrf\CsrfGuardInterface;
use Zend\Expressive\Csrf\CsrfMiddleware;
use Zend\Expressive\Template\TemplateRendererInterface;

class DisplayBookFormHandler implements MiddlewareInterface
{
    private $renderer;

    public function __construct(TemplateRendererInterface $renderer)
    {
        $this->renderer = $renderer;
    }

    public function process(ServerRequestInterface $request, RequestHandlerInterface $handler) : ResponseInterface
    {
        $guard = $request->getAttribute(CsrfMiddleware::GUARD_ATTRIBUTE);
        $token = $guard->generateToken();

        return new HtmlResponse(
            $this->renderer->render('books::form', [
                '__csrf' => $token,
            ]);
        );
    }
}

When we're ready to process it, we then might have the following middleware:

namespace Books;

use Psr\Http\Message\ResponseInterface;
use Psr\Http\Message\ServerRequestInterface;
use Psr\Http\Server\MiddlewareInterface;
use Psr\Http\Server\RequestHandlerInterface;
use Zend\Diactoros\Response\EmptyResponse;
use Zend\Diactoros\Response\HtmlResponse;
use Zend\Expressive\Csrf\CsrfGuardInterface;
use Zend\Expressive\Csrf\CsrfMiddleware;
use Zend\Expressive\Template\TemplateRendererInterface;

class ProcessBookFormHandler implements MiddlewareInterface
{
    private $renderer;

    public function __construct(TemplateRendererInterface $renderer)
    {
        $this->renderer = $renderer;
    }

    public function process(ServerRequestInterface $request, RequestHandlerInterface $handler) : ResponseInterface
    {
        $guard = $request->getAttribute(CsrfMiddleware::GUARD_ATTRIBUTE);
        $data  = $request->getParsedBody();
        $token = $data['__csrf'] ?? '';

        if (! $guard->validateToken($token)) {
            return new EmptyResponse(412); // Precondition failed
        }

        // process form normally and return a response...
    }
}

This approach allows you to prevent CSRF attacks separately from normal form validation, which can also simplify how your forms are structured.

We provide two guard implementations, one using the base session container functionality from zend-expressive-session, and another using flash messages as provided in zend-expressive-flash.

Session-based guard

Session-based guards are provided via Zend\Expressive\Csrf\SessionCsrfGuard. This class expects a Zend\Expressive\Session\SessionInterface instance to its constructor, and it then uses that to both store a token in the session during generateToken(), and when validating a submitted token.

Flash-based guard

Flash guards are provided via Zend\Expressive\Csrf\FlashCsrfGuard. This class expects a Zend\Expressive\Flash\FlashMessagesInterface instance to its constructor, and it then uses that to store a token via a flash message when generateToken() is called, and to retrieve a previously flashed token when validating a submitted token.

To use this guard, you will also need to install the zend-expressive-flash package:

$ composer require zendframework/zend-expressive-flash

Guard factories

Because guard implementations generally require request-based artifacts in order to do their work, we provide an interface describing a factory for generating guards. Essentially, each guard implementation will also supply their own factory implementation, which the CsrfMiddleware will then consume to create a guard instance.

Zend\Expressive\Csrf\CsrfGuardFactoryInterface defines the following:

namespace Zend\Expressive\Csrf;

use Psr\Http\Message\ServerRequestInterface;

interface CsrfGuardFactoryInterface
{
    public function createGuardFromRequest(ServerRequestInterface $request) : CsrfGuardInterface;
}

We provide the following concrete factories:

  • Zend\Expressive\Csrf\SessionCsrfGuardFactory
  • Zend\Expressive\Csrf\FlashCsrfGuardFactory

You will need to map the appropriate one to the Zend\Expressive\Csrf\CsrfGuardFactoryInterface service in your dependency injection container. By default, we map this service to the SessionCsrfGuardFactory.

You may also compose the CsrfGuardFactoryInterface directly in your own middleware. When you do, you will have to manually use it to create the guard instance prior to generating or validating a token:

class SomeHandler implements MiddlewareInterface
{
    private $guardFactory;

    public function __construct(CsrfGuardFactoryInterface $guardFactory)
    {
        $this->guardFactory = $guardFactory;
    }

    public function process(ServerRequestInterface $request, RequestHandlerInterface $handler) : ResponseInterface
    {
        $guard = $this->guardFactory->createGuardFromRequest($request);
        // ...
    }
}

Found a mistake or want to contribute to the documentation? Edit this page on GitHub!