Build Your Own PHP Framework
This episode is for members only

Sign up to access "Build Your Own PHP Framework" right now.

Get started
Already a member? Sign in to continue
Playing
48. Rendering views for CSRF errors

Episodes

0%
Your progress
  • Total: 4h 45m
  • Played: 0m
  • Remaining: 4h 45m
Join or sign in to track your progress
01. Setting up
01. Introduction
2m 23s
0%
02. Composer and PSR-4 Autoloading
6m 17s
0%
03. Bootstrapping and structure
3m 18s
0%
04. Error reporting with Ignition
3m 49s
0%
02. Container
05. Using a container
3m 21s
0%
06. Adding service providers
5m 23s
0%
07. Autowiring with reflection
5m 5s
0%
08. Refactoring to a singleton
4m 17s
0%
03. Application config
09. Building the Config class
6m 19s
0%
10. Reading and merging config files
6m 21s
0%
11. Registering service providers through config
2m 13s
0%
12. Using env files
6m 26s
0%
04. Routing and controllers
13. Everything starts with requests
6m 52s
0%
14. Adding routing
5m 27s
0%
15. Responding in routes
4m 13s
0%
16. Cleaning up responding
7m 12s
0%
17. Defining routes in a separate file
3m 10s
0%
18. Creating a controller
5m 17s
0%
19. Using services inside controllers
2m 3s
0%
05. Views
20. Installing Twig
6m 22s
0%
21. Rendering a view
3m 36s
0%
22. Debugging in Twig
4m 45s
0%
23. Creating a base layout
3m 38s
0%
24. Page titles in Twig
4m 31s
0%
25. Creating a Twig config helper
8m 57s
0%
06. Database
26. Setting up and querying the database
13m 29s
0%
27. Working with models
4m 32s
0%
28. Creating an example user profile page
5m 49s
0%
07. Authentication
29. Setting up Sentinel
8m 36s
0%
30. Creating the registration flow
5m 44s
0%
31. Registering and authenticating a user
5m
0%
32. Showing authenticated state
5m 40s
0%
33. Logging in
3m 59s
0%
34. Logging out
3m 2s
0%
08. CSRF Protection
35. Protecting routes with CSRF
7m 51s
0%
36. Adding tokens to forms
6m 5s
0%
09. Flashing messages
37. Basic session flashing
5m 46s
0%
38. Creating a Twig helper and flashing globally
1m 39s
0%
10. Validation
39. Validating the login form
6m 40s
0%
40. Manually adding validation errors
1m 24s
0%
41. Validating the registration form
4m 5s
0%
42. Custom validation rules
9m 39s
0%
11. Middleware
43. How middleware works
5m 41s
0%
44. Adding auth middleware and grouping routes
7m 37s
0%
45. Persisting old form data
6m 53s
0%
12. Exception handling
46. Creating an exception handler
3m 38s
0%
47. Custom 404 (and other error) views
7m 27s
0%
48. Rendering views for CSRF errors
5m 18s
0%
13. Pagination
49. Paginating with Eloquent
7m 48s
0%
50. Building a pagination view with Twig
7m 38s
0%
14. Global helpers
51. Registering functions with PSR-4
1m 50s
0%
52. Container resolution helper
2m 24s
0%
53. View and config helpers
4m 12s
0%
54. Route generator helper
4m 34s
0%

Transcript

00:00
So you're now free to check this exception that's been thrown,
00:04
create any other if statements you want in here to check the exception. So, for example, you could check if the exception is an instance of a particular exception that you've added in your application, and then you can perform any action that you want in here, either by logging something, displaying a view,
00:22
whatever you want to do. What we're going to look at now, though, is creating a custom exception with an HTTP status code, and that is going to be for our cross-site request forgery failure. Now, let's go ahead and just recreate this in the browser.
00:35
So I'm going to go ahead and hit Log In here, and let's try and just sign in. We know that that works nicely, but what if we modified the code? So we could do this in a couple of ways, but let's just go ahead and get rid of the part of the value here, and let's try and hit Log In.
00:52
We get this error just here, which, remember, comes from the cross-site request forgery middleware provided by that slim guard class. So we want to customize this. Now, there are infinite ways that you can customize certain exceptions that are thrown.
01:08
In the case of our cross-site request forgery, if we come over to our cross-site request forgery service provider, what we can do on the guard class that we've been using is we can set a failure handler. So it has a method here that sets the failure handler within this guard, and then
01:27
when we get down to that process method, we know that it tries to access, if we just come down to here, handle failure, and that will give us what we've used in there. So basically, we can overwrite the failure handler with our own custom exception, which has an HTTP code, and then we can render a view.
01:47
So the goal here is to render a nice view if the token doesn't match to ask the user to refresh the page. So let's go ahead and start to do this now. So we're going to go ahead and set the failure handler in here.
01:58
This will just be a closure that does something. So in our case, we're just going to throw an exception. So let's throw a new exception in here. We don't have that at the moment.
02:07
Let's create our own custom one. So let's create our class in here called cross-site request forgery token exception, and let's create this out. Okay, so we're going to throw this from that cross-site request forgery failure handler.
02:22
So let's throw a new cross-site request forgery token exception. It's probably not filling this in because it doesn't look like an exception at the moment, but let's go ahead and import that anyway. Okay, let's go over to the exception, and for this to be an exception,
02:37
we need to extend an HTTP exception. We could extend a standard exception, but in our case, we want this to be an HTTP exception. So this is under, if we just find this by going into league root HTTP, this is what we want to throw.
02:54
Okay, so if we take a look, we can pretty much just copy any of the other HTTP exceptions that we have. So we already saw the not found exception over here, which just, if we just open up the right one, so this one just here, not found exception, all this does is it,
03:12
inside of the constructor, calls the parent constructor with the right code. So we're going to grab all of this inside of here, go back over to our own exception, and just paste this in. Now, what we can do is change around the message.
03:24
So you could, again, remember in our handler, send that message down to the view. If you want to do, you could send the entire exception down. So you could actually render this out with the contents of the message. Let's go ahead and change that over to cross-site request forgery token mismatch.
03:42
And let's change the status code over here to 422, which is pretty standard for most of these. Okay, now that we've got that, and we're throwing it over from our cross-site request forgery service provider, we should be good. Let's just try this out first of all.
03:58
So let's go back over to login. I'm going to go ahead and modify the value of the token in here and hit login. And there we go. Great.
04:05
We got our own custom exception thrown specifically for this package. Now, what we need to do is because we've already set up that automatic rendering of views for any of the status codes that we have on exceptions, we just need to go ahead and create our new view. So let's go and create 422, which is the status that we gave it.
04:27
And we'll just say token expired, or let's make it a bit more user-friendly, page expired. Please go back and refresh. Which is pretty common because if a user is sat around on a page for too long, they're going to end up with an expired token, so we at least want to tell them what to do.
04:43
Okay, so now if we were to hang around on this page too long and the token ended up expiring, when we hit login now, we get our own custom page. So there we go. Anywhere that you want to throw an HTTP exception now, you can customize this much like we've done
05:01
with this custom cross-site request forgery exception, set the message, set the code, and the view we rendered for you. Otherwise, over in your handler, just create out an if statement in here and perform an action if it's an instance of any custom exceptions you've created.

Episode summary

In this episode, we dive into handling CSRF (Cross-Site Request Forgery) errors in a more user-friendly way. We start off by replicating a CSRF error in our app—just to see what happens when a token mismatch occurs during login. Instead of relying on the default error response, we want to show a custom, helpful page.

To achieve this, we set up a custom failure handler on our CSRF guard that throws our very own exception when a token mismatch is detected. We build a new exception class (extending an HTTP exception for the right response codes) and set it to use a 422 status code, which is typical for these types of errors.

Next, we take advantage of our automatic view rendering for HTTP status codes by creating a new view for the 422 code. We make sure the message is clear and actionable, like telling the user to refresh the page if their session or form token has expired due to inactivity.

By the end, anytime there's a CSRF failure, users see our custom page rather than a generic error. Plus, the same pattern can be used to handle any other exceptions in a way that puts you fully in control of the user experience.

Episode discussion

No comments, yet. Be the first!