feature: set csrf token length

for #389

Author: Greg Bowler

config.default.ini

@@ -52,3 +52,5 @@ query_path=query
 csrf_header=X-CSRF
 ;csrf_ignore_path=/test-csrf-ignore,/test/*/wildcard/,/another-test-ignore
 csrf_ignore_path=
+csrf_max_tokens=100
+csrf_token_length=10

src/Middleware/RequestHandler.php

@@ -197,13 +197,14 @@ public function handle(
 			$serviceContainer->set($session);
 
 			$session = $serviceContainer->get(Session::class);
-			$csrfTokenStore = new SessionTokenStore(
-				$session->getStore("webengine.csrf", true)
-			);
 
 			$shouldVerifyCsrf = true;
 			$ignoredPathArray = explode(",", $this->config->getString("security.csrf_ignore_path") ?? "");
 			foreach($ignoredPathArray as $ignoredPath) {
+				if(empty($ignoredPath)) {
+					continue;
+				}
+
 				if(str_contains($ignoredPath, "*")) {
 					$pattern = strtr(rtrim($ignoredPath, "/"), [
 						"*" => ".*",
@@ -220,6 +221,14 @@ public function handle(
 			}
 
 			if($shouldVerifyCsrf) {
+				$csrfTokenStore = new SessionTokenStore(
+					$session->getStore("webengine.csrf", true),
+					$this->config->getInt("security.csrf_max_tokens")
+				);
+				$csrfTokenStore->setTokenLength(
+					$this->config->getInt("security.csrf_token_length")
+				);
+
 				if($request->getMethod() === "POST") {
 					$csrfTokenStore->verify($_POST);
 				}