feature: configure csrf token sharing

Greg Bowler · Greg Bowler · commit 694fee5856db · 2022-09-25T15:50:28.000+01:00
closes #389
diff --git a/config.default.ini b/config.default.ini
@@ -54,3 +54,5 @@ csrf_header=X-CSRF
 csrf_ignore_path=
 csrf_max_tokens=100
 csrf_token_length=10
+;Generate tokens once "per-form" or once "per-page"
+csrf_token_sharing=per-page
diff --git a/src/Middleware/RequestHandler.php b/src/Middleware/RequestHandler.php
@@ -233,8 +233,12 @@ public function handle(
 					$csrfTokenStore->verify($_POST);
 				}
 
+				$sharing = match($this->config->getString("security.csrf_token_sharing")) {
+					"per-page" => HTMLDocumentProtector::ONE_TOKEN_PER_PAGE,
+					default => HTMLDocumentProtector::ONE_TOKEN_PER_FORM,
+				};
 				$protector = new HTMLDocumentProtector($viewModel, $csrfTokenStore);
-				$tokens = $protector->protect(HTMLDocumentProtector::ONE_TOKEN_PER_FORM);
+				$tokens = $protector->protect($sharing);
 				$response = $response->withHeader($this->config->getString("security.csrf_header"), $tokens);
 			}
 		}

Original file line number	Diff line number	Diff line change
`@@ -233,8 +233,12 @@ public function handle(`
`233`	`233`	`$csrfTokenStore->verify($_POST);`
`234`	`234`	`}`
`235`	`235`
	`236`	`+ $sharing = match($this->config->getString("security.csrf_token_sharing")) {`
	`237`	`+ "per-page" => HTMLDocumentProtector::ONE_TOKEN_PER_PAGE,`
	`238`	`+ default => HTMLDocumentProtector::ONE_TOKEN_PER_FORM,`
	`239`	`+ };`
`236`	`240`	`$protector = new HTMLDocumentProtector($viewModel, $csrfTokenStore);`
`237`		`- $tokens = $protector->protect(HTMLDocumentProtector::ONE_TOKEN_PER_FORM);`
	`241`	`+ $tokens = $protector->protect($sharing);`
`238`	`242`	`$response = $response->withHeader($this->config->getString("security.csrf_header"), $tokens);`
`239`	`243`	`}`
`240`	`244`	`}`