From 0e2eb5ef7235ad1e4ea0ca15ad17139f66ec3fd1 Mon Sep 17 00:00:00 2001 From: Abel Hoogeveen Date: Tue, 15 Mar 2022 19:18:45 +0100 Subject: [PATCH] `config.web.php` already provides a prefix, so `config.security` should not provide one. Can be merged later whenever necessary. Also verifies if the protection is enabled or not. --- src/Config/config.security.php | 4 ++-- src/FuzeWorks/Security.php | 6 +++++- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/src/Config/config.security.php b/src/Config/config.security.php index 346fcbc..46a494c 100644 --- a/src/Config/config.security.php +++ b/src/Config/config.security.php @@ -50,12 +50,12 @@ return [ | 'csrf_exclude_uris' = Array of URIs which ignore CSRF checks */ 'csrf_protection' => true, - 'csrf_token_name' => 'fw_csrf_token', + 'csrf_token_name' => 'csrf_token', 'csrf_expire' => 7200, 'csrf_exclude_uris' => array(), // CSRF Cookie information - 'csrf_cookie_name' => 'fw_csrf_cookie', + 'csrf_cookie_name' => 'csrf_cookie', 'csrf_cookie_prefix' => '', 'csrf_cookie_domain' => '', 'csrf_cookie_path' => '/', diff --git a/src/FuzeWorks/Security.php b/src/FuzeWorks/Security.php index 574daf5..ab6174c 100644 --- a/src/FuzeWorks/Security.php +++ b/src/FuzeWorks/Security.php @@ -188,7 +188,7 @@ class Security { $this->input = Factory::getInstance()->input; // Is CSRF protection enabled? - if ($this->config->csrf_protection) + if ($this->config->get('csrf_protection')) { // CSRF config foreach (array('csrf_expire', 'csrf_token_name', 'csrf_cookie_name') as $key) @@ -222,6 +222,10 @@ class Security { */ public function csrf_verify(): self { + // If not enabled, do not run + if (!$this->config->get('csrf_protection')) + return $this; + // If it's not a POST request we will set the CSRF cookie if (strtoupper($this->input->server('REQUEST_METHOD')) !== 'POST') return $this->csrf_set_cookie();