Build Your Own PHP Framework
This episode is for members only

Sign up to access "Build Your Own PHP Framework" right now.

Get started
Already a member? Sign in to continue
Playing
35. Protecting routes with CSRF

Episodes

0%
Your progress
  • Total: 4h 45m
  • Played: 0m
  • Remaining: 4h 45m
Join or sign in to track your progress
01. Setting up
01. Introduction
2m 23s
0%
02. Composer and PSR-4 Autoloading
6m 17s
0%
03. Bootstrapping and structure
3m 18s
0%
04. Error reporting with Ignition
3m 49s
0%
02. Container
05. Using a container
3m 21s
0%
06. Adding service providers
5m 23s
0%
07. Autowiring with reflection
5m 5s
0%
08. Refactoring to a singleton
4m 17s
0%
03. Application config
09. Building the Config class
6m 19s
0%
10. Reading and merging config files
6m 21s
0%
11. Registering service providers through config
2m 13s
0%
12. Using env files
6m 26s
0%
04. Routing and controllers
13. Everything starts with requests
6m 52s
0%
14. Adding routing
5m 27s
0%
15. Responding in routes
4m 13s
0%
16. Cleaning up responding
7m 12s
0%
17. Defining routes in a separate file
3m 10s
0%
18. Creating a controller
5m 17s
0%
19. Using services inside controllers
2m 3s
0%
05. Views
20. Installing Twig
6m 22s
0%
21. Rendering a view
3m 36s
0%
22. Debugging in Twig
4m 45s
0%
23. Creating a base layout
3m 38s
0%
24. Page titles in Twig
4m 31s
0%
25. Creating a Twig config helper
8m 57s
0%
06. Database
26. Setting up and querying the database
13m 29s
0%
27. Working with models
4m 32s
0%
28. Creating an example user profile page
5m 49s
0%
07. Authentication
29. Setting up Sentinel
8m 36s
0%
30. Creating the registration flow
5m 44s
0%
31. Registering and authenticating a user
5m
0%
32. Showing authenticated state
5m 40s
0%
33. Logging in
3m 59s
0%
34. Logging out
3m 2s
0%
08. CSRF Protection
35. Protecting routes with CSRF
7m 51s
0%
36. Adding tokens to forms
6m 5s
0%
09. Flashing messages
37. Basic session flashing
5m 46s
0%
38. Creating a Twig helper and flashing globally
1m 39s
0%
10. Validation
39. Validating the login form
6m 40s
0%
40. Manually adding validation errors
1m 24s
0%
41. Validating the registration form
4m 5s
0%
42. Custom validation rules
9m 39s
0%
11. Middleware
43. How middleware works
5m 41s
0%
44. Adding auth middleware and grouping routes
7m 37s
0%
45. Persisting old form data
6m 53s
0%
12. Exception handling
46. Creating an exception handler
3m 38s
0%
47. Custom 404 (and other error) views
7m 27s
0%
48. Rendering views for CSRF errors
5m 18s
0%
13. Pagination
49. Paginating with Eloquent
7m 48s
0%
50. Building a pagination view with Twig
7m 38s
0%
14. Global helpers
51. Registering functions with PSR-4
1m 50s
0%
52. Container resolution helper
2m 24s
0%
53. View and config helpers
4m 12s
0%
54. Route generator helper
4m 34s
0%

Transcript

00:00
If you're not familiar with what Cross-Site Request Forgery Protection is, let's just take a minute to explain why this is really important, and then we'll look at the solution that we're going to implement in this framework. So let's imagine that we just go ahead and view the source for this page.
00:16
You can see that we've got this action here to log out. We know that we want to post through to this rather than this be a link, just a get link. If this was a get link, I could send this to anyone to log them out. So if I just paste this link to someone, they click on it,
00:33
they'll go over to our application, they'll automatically be signed out. That's why we set this as a post, so we can add some additional protection. Now, even if it is post, that's not stopping anyone taking this entire form, putting it on a malicious or fake website,
00:50
and having the user click this link to post through to our application. With a form, we can post through to any website at all. So what is going to happen here, not necessarily for logging out, because it's not really a destructive action,
01:06
but any form that you implement within an application. Let's say we had a form that deleted a resource, deleted something, or did some sort of destructive action. Someone could take this form, they could go ahead and put it on a website,
01:20
we could click the link unknowingly, and post through to our site. So the way that we get around this is every time we display a form in our application, we add a hidden input to this, as well as any other fields that we need. And that token will only be generated when we hit the web app,
01:38
which means that when we submit this, we can check that the token that we generated within the app itself exists within a session. So effectively, it's just a token that only our application knows about. So when we post through, we can check that the token matches.
01:55
So that's pretty much what cross-site request forgery is. Let's go ahead and look at how we're going to implement this. Now, once again, because this is a security measure, we don't really want to be generating tokens ourselves, putting them in sessions.
02:09
Instead, we're going to use the cross-site request forgery middleware from the SLIM PHP framework. Now, this integrates really nicely into the SLIM framework, but we can also use this outside of the framework as well, much like we've done with some other packages.
02:25
So we're going to go ahead and pull this in and see how we get this set up. Okay, let's go ahead and grab the command to pull this into our own application. And let's just pop this in here and require this in with Composer. Now, once this is done, as you'd imagine,
02:39
we're going to go ahead and create a service provider for this, so we can easily access this functionality. So let's go ahead and create out a cross-site request forgery service provider, or CSRF for short. And once again, let's grab one of the other service providers that we have
02:57
and paste this over and start to change everything around. So let's say cross-site request forgery service provider, get rid of what is in boot. And we're just going to register this under here. So we have it available both within the middleware and within our views,
03:12
so we can actually render the token. So let's go ahead and grab out our container. Let's add this, and we can just do this as a single string. It doesn't really matter too much,
03:22
because we're not going to need to explicitly load this into our controllers, although we could do. And let's go ahead and set this as shared as we've done before. Now, we need to create out a new guard class.
03:34
So guard is what comes from that package. Now, if we look into this, you can see that this requires that we have a response factory. We already are dealing with responses,
03:45
so all we're going to do in here is just new up a response factory. So let's go ahead and do that now from this directories package that we're using. And that's pretty much it ready to go. We can go ahead and return this directly in here, and we can start to use it.
04:01
Okay, so now that we have got this set up, let's apply some middleware to our routes, so we can see what happens when we post through to any of our post routes. So let's come over to our web routes,
04:14
and there's a couple of ways that we could do this. We can either apply this to specific routes if we want to, or we can apply it globally. And we'll dive into the middleware in a minute to see how this works.
04:25
So we're going to start to touch on middleware now. Let's go ahead and just say router middleware. This is going to apply some global middleware to our application. And then what we're going to do is from our container,
04:38
we're going to grab out that cross site request forgery item. So this might seem a little bit strange because if we think about it, we have that guard, but we're pulling this in and applying it as middleware to each of our routes. Effectively, what middleware will do is it will run before we hit any of these routes inside of here.
04:58
Let's go ahead and see what happens in the browser, and then we'll dive into what this guard class is actually doing behind the scenes. Okay, so let's come over and just make sure we fix up our cross site request forgery service provider by letting it know that we are using that service.
05:15
And of course, let's also go ahead and add that to our app config as well. So cross site request forgery service provider. Okay, let's go over, give that a refresh. So everything is working as normal.
05:26
But now when I hit log out, you can see that we get this failed cross site request forgery check error. We're going to be customizing this a little bit later on. So if you want to show a much nicer message, if the cross site request forgery token is expired, then you can do that.
05:41
But now what's happening is it's not letting us post through to any routes unless the token exists and matches within this form. Okay, so we've got cross site request forgery protection enabled. In the next episode, we're going to create that token now. But let's just dive into this middleware to see what's actually happening.
06:00
So we're going to go ahead and open up this guard class that we looked at a minute ago. And if we just take a look through the methods here, you can see that we've got quite a lot going on here. What we're interested in is, let's just find it here, the process method just in here. So what's actually happening here is this entire class is technically middleware.
06:21
So we can use it to generate tokens with any of the methods that are available. But this process middleware or this process method will be called when we attach it to middleware within our router. So every time we post through, this process method is getting called. Let's take a look at what is happening here.
06:39
So we're grabbing the parse body, which is fine, that will just allow us to extract any information out that we need. A little bit further down, you can see that it's only doing this check. So it's only validating this token if the method of the request is post, put, delete or patch. So now that this middleware is applied globally, it's going to go ahead and only run this if we are making a post request, put, delete or patch request.
07:04
That's why over in the browser, it works when we just hit a normal get route, because we don't need middleware for get routes. But of course, it is doing this for when we try and post through to log out. So down here, if this fails for any reason, we have this handle failure. We're going to add a custom failure handler a little bit later so we can render out a nice view to tell the user that they need to go back, refresh the page and submit the form again.
07:31
So that's what's happening behind the scenes. In the next episode, we're going to dive back into this guard class so we can look at how to extract the tokens that we need to actually apply to the form. And we can create out a really simple helper for our forms with Twig to get that token in there. At the moment, we're stuck with not being able to do much.

Episode summary

In this episode, we dive into what Cross-Site Request Forgery (CSRF) actually is, why it's so important to protect against it, and how to set up CSRF protection in our application. We start off by looking at how forms can be vulnerable to CSRF attacks, especially for sensitive actions like deleting data or logging out users, and why simply using POST requests isn’t enough to stop attacks.

To protect our routes, we integrate a CSRF middleware using the Slim PHP framework. You'll see how to pull the package in with Composer, set up a new CSRF Service Provider, and wire it into the app’s container and configuration. We also cover how to apply this middleware to your routes, either globally or to specific ones, so any unsafe requests without the correct token get blocked.

Together, we hop into the guard class from the package to explore how the middleware actually checks tokens, when it runs, and why GET requests are unaffected. You'll see how failed CSRF checks are handled, and a quick mention that we'll customize this in the future for nicer error messages.

By the end of this episode, CSRF protection will be live in your app. Up next, we’ll focus on generating and using tokens in your forms so the protection works smoothly for your users.

Episode discussion

No comments, yet. Be the first!