`config.web.php` already provides a prefix, so `config.security` should not provide one.

Can be merged later whenever necessary. Also verifies if the protection is enabled or not.
2022-03-15 19:18:45 +01:00 · 2022-03-15 19:18:45 +01:00 · 0e2eb5ef72
parent cd331dc39d
commit 0e2eb5ef72
2 changed files with 7 additions and 3 deletions
--- a/src/Config/config.security.php
+++ b/src/Config/config.security.php
@ -50,12 +50,12 @@ return [
 	| 'csrf_exclude_uris' = Array of URIs which ignore CSRF checks
 	*/
    'csrf_protection' => true,
-    'csrf_token_name' => 'fw_csrf_token',
+    'csrf_token_name' => 'csrf_token',
    'csrf_expire' => 7200,
    'csrf_exclude_uris' => array(),

    // CSRF Cookie information
-    'csrf_cookie_name' => 'fw_csrf_cookie',
+    'csrf_cookie_name' => 'csrf_cookie',
    'csrf_cookie_prefix' => '',
    'csrf_cookie_domain' => '',
    'csrf_cookie_path' => '/',
--- a/src/FuzeWorks/Security.php
+++ b/src/FuzeWorks/Security.php
@ -188,7 +188,7 @@ class Security {
        $this->input = Factory::getInstance()->input;

        // Is CSRF protection enabled?
-        if ($this->config->csrf_protection)
+        if ($this->config->get('csrf_protection'))
        {
            // CSRF config
            foreach (array('csrf_expire', 'csrf_token_name', 'csrf_cookie_name') as $key)
@ -222,6 +222,10 @@ class Security {
     */
    public function csrf_verify(): self
    {
+        // If not enabled, do not run
+        if (!$this->config->get('csrf_protection'))
+            return $this;
+
        // If it's not a POST request we will set the CSRF cookie
        if (strtoupper($this->input->server('REQUEST_METHOD')) !== 'POST')
            return $this->csrf_set_cookie();