Merge ce10d10 into 5217e76

cakephp · May 15, 2020 · 0594425 · 0594425
2 parents 5217e76 + ce10d10
commit 0594425
Show file tree

Hide file tree

Showing 2 changed files with 40 additions and 5 deletions.
diff --git a/src/Http/Middleware/CsrfProtectionMiddleware.php b/src/Http/Middleware/CsrfProtectionMiddleware.php
@@ -53,7 +53,10 @@ class CsrfProtectionMiddleware implements MiddlewareInterface
      *  - `expiry` A strotime compatible value of how long the CSRF token should last.
      *    Defaults to browser session.
      *  - `secure` Whether or not the cookie will be set with the Secure flag. Defaults to false.
-     *  - `httpOnly` Whether or not the cookie will be set with the HttpOnly flag. Defaults to false.
+     *  - `httponly` Whether or not the cookie will be set with the HttpOnly flag. Defaults to false.
+     *  - 'samesite' "SameSite" attribute for cookies. Defaults to `null`.
+     *    Valid values: `CookieInterface::SAMESITE_LAX`, `CookieInterface::SAMESITE_STRICT`,
+     *    `CookieInterface::SAMESITE_NONE` or `null`.
      *  - `field` The form field to check. Changing this will also require configuring
      *    FormHelper.
      *
@@ -63,7 +66,8 @@ class CsrfProtectionMiddleware implements MiddlewareInterface
         'cookieName' => 'csrfToken',
         'expiry' => 0,
         'secure' => false,
-        'httpOnly' => false,
+        'httponly' => false,
+        'samesite' => null,
         'field' => '_csrfToken',
     ];
 
@@ -88,6 +92,11 @@ class CsrfProtectionMiddleware implements MiddlewareInterface
      */
     public function __construct(array $config = [])
     {
+        if (array_key_exists('httpOnly', $config)) {
+            $config['httponly'] = $config['httpOnly'];
+            deprecationWarning('Option `httpOnly` is deprecated. Use lowercased `httpOnly` instead.');
+        }
+
         $this->_config = $config + $this->_config;
     }
 
@@ -294,7 +303,8 @@ protected function _createCookie(string $value, ServerRequestInterface $request)
                 'expires' => $this->_config['expiry'] ?: null,
                 'path' => $request->getAttribute('webroot'),
                 'secure' => $this->_config['secure'],
-                'httponly' => $this->_config['httpOnly'],
+                'httponly' => $this->_config['httponly'],
+                'samesite' => $this->_config['samesite'],
             ]
         );
 

diff --git a/tests/TestCase/Http/Middleware/CsrfProtectionMiddlewareTest.php b/tests/TestCase/Http/Middleware/CsrfProtectionMiddlewareTest.php
@@ -17,6 +17,7 @@
 namespace Cake\Test\TestCase\Http\Middleware;
 
 use Cake\Http\Cookie\Cookie;
+use Cake\Http\Cookie\CookieInterface;
 use Cake\Http\Exception\InvalidCsrfTokenException;
 use Cake\Http\Middleware\CsrfProtectionMiddleware;
 use Cake\Http\Response;
@@ -366,7 +367,8 @@ public function testConfigurationCookieCreate()
             'cookieName' => 'token',
             'expiry' => '+1 hour',
             'secure' => true,
-            'httpOnly' => true,
+            'httponly' => true,
+            'samesite' => CookieInterface::SAMESITE_STRICT,
         ]);
         $response = $middleware->process($request, $this->_getRequestHandler());
 
@@ -377,7 +379,30 @@ public function testConfigurationCookieCreate()
         $this->assertWithinRange(strtotime('+1 hour'), $cookie['expires'], 1, 'session duration.');
         $this->assertSame('/dir/', $cookie['path'], 'session path.');
         $this->assertTrue($cookie['secure'], 'cookie security flag missing');
-        $this->assertTrue($cookie['httponly'], 'cookie httpOnly flag missing');
+        $this->assertTrue($cookie['httponly'], 'cookie httponly flag missing');
+        $this->assertSame(CookieInterface::SAMESITE_STRICT, $cookie['samesite'], 'samesite attribute missing');
+    }
+
+    public function testUsingDeprecatedConfigKey()
+    {
+        $this->deprecated(function () {
+            $request = new ServerRequest([
+                'environment' => ['REQUEST_METHOD' => 'GET'],
+                'webroot' => '/dir/',
+            ]);
+
+            $middleware = new CsrfProtectionMiddleware([
+                'cookieName' => 'token',
+                'expiry' => '+1 hour',
+                'secure' => true,
+                'httpOnly' => true,
+                'samesite' => CookieInterface::SAMESITE_STRICT,
+            ]);
+            $response = $middleware->process($request, $this->_getRequestHandler());
+
+            $cookie = $response->getCookie('token');
+            $this->assertTrue($cookie['httponly'], 'cookie httponly flag missing');
+        });
     }
 
     /**