Merge pull request #11 from wdhaoui/feature/add-http-only-config

feat(Cookies): add new option httpOnly

Author: dneustadt

DependencyInjection/Configuration.php

@@ -23,6 +23,7 @@ public function getConfigTreeBuilder(): TreeBuilder
             ->integerNode('expire')->defaultValue(0)->end()
             ->scalarNode('path')->cannotBeEmpty()->defaultValue('/')->end()
             ->scalarNode('domain')->defaultNull()->end()
+            ->booleanNode('httpOnly')->defaultFalse()->end()
             ->booleanNode('secure')->defaultFalse()->end()
             ->scalarNode('header')->cannotBeEmpty()->defaultValue('X-XSRF-TOKEN')->end()
             ->scalarNode('sameSite')->cannotBeEmpty()->defaultValue(Cookie::SAMESITE_LAX)->end()

DependencyInjection/DneustadtCsrfCookieExtension.php

@@ -22,6 +22,7 @@ public function load(array $configs, ContainerBuilder $container): void
         $container->setParameter('dneustadt_csrf_cookie.expire', $config['expire']);
         $container->setParameter('dneustadt_csrf_cookie.path', $config['path']);
         $container->setParameter('dneustadt_csrf_cookie.domain', $config['domain']);
+        $container->setParameter('dneustadt_csrf_cookie.httpOnly', $config['httpOnly']);
         $container->setParameter('dneustadt_csrf_cookie.secure', $config['secure']);
         $container->setParameter('dneustadt_csrf_cookie.header', $config['header']);
         $container->setParameter('dneustadt_csrf_cookie.sameSite', $config['sameSite']);

README.md

@@ -40,6 +40,8 @@ dneustadt_csrf_cookie:
     path: /
     # Cookie domain
     domain: null
+    # Cookie HttpOnly
+    httpOnly: true
     # Cookie secure
     secure: false
     # Name of the HTTP header the token is expected to be stored in

Resources/config/services.yaml

@@ -11,6 +11,7 @@ services:
             $cookieExpire: '%dneustadt_csrf_cookie.expire%'
             $cookiePath: '%dneustadt_csrf_cookie.path%'
             $cookieDomain: '%dneustadt_csrf_cookie.domain%'
+            $cookieHttpOnly: '%dneustadt_csrf_cookie.httpOnly%'
             $cookieSecure: '%dneustadt_csrf_cookie.secure%'
             $cookieHeader: '%dneustadt_csrf_cookie.header%'
             $cookieSameSite: '%dneustadt_csrf_cookie.sameSite%'

Service/CsrfRequestEvaluator.php

@@ -52,6 +52,11 @@ class CsrfRequestEvaluator
      */
     protected $cookieDomain;
 
+    /**
+     * @var bool
+     */
+    protected $cookieHttpOnly;
+
     /**
      * @var bool
      */
@@ -75,6 +80,7 @@ public function __construct(
         int $cookieExpire,
         string $cookiePath,
         ?string $cookieDomain,
+        bool $cookieHttpOnly,
         bool $cookieSecure,
         string $cookieHeader,
         string $cookieSameSite
@@ -86,6 +92,7 @@ public function __construct(
         $this->cookieExpire = $cookieExpire;
         $this->cookiePath = $cookiePath;
         $this->cookieDomain = $cookieDomain;
+        $this->cookieHttpOnly = $cookieHttpOnly;
         $this->cookieSecure = $cookieSecure;
         $this->cookieHeader = $cookieHeader;
         $this->cookieSameSite = $cookieSameSite;
@@ -143,7 +150,7 @@ public function setCookie(Request $request, Response $response): void
                 $this->cookiePath,
                 $this->cookieDomain,
                 $this->cookieSecure,
-                false,
+                $this->cookieHttpOnly,
                 false,
                 $this->cookieSameSite
             )