Define all Cookie arguments explicitly (#58)

* Define all Cookie arguments explicitly

This adds support for Symfony 4.2, which deprecates not defining all the arguments as some of their default values are scheduled to change in Symfony 5.0.

* Set Cookie $sameSite as `lax` instead of null

This is the default value as of Symfony 4.2, and makes cookies safer as they won't be sent along with cross-site requests.

Also, added missing prediction when registering the cookie in the ResponseHeaderBag.

* Define PHP version in cinst instruction

This ensures appveyor uses PHP 7.2 and not a default version(currently 7.3)

* Fixed tests after new method call in Symfony 4.2.6 and 3.4.25

Author: iambrosi

EventListener/AngularCsrfCookieListener.php

@@ -102,7 +102,9 @@ public function onKernelResponse(FilterResponseEvent $event)
             $this->cookiePath,
             $this->cookieDomain,
             $this->cookieSecure,
-            false
+            false /* httpOnly */,
+            false /* raw */,
+            Cookie::SAMESITE_LAX
         ));
     }
 }

appveyor.yml

@@ -10,7 +10,7 @@ init:
 
 install:
   - ps: Set-Service wuauserv -StartupType Manual
-  - cinst -y php
+  - cinst -y php --version 7.2.17
   - cd c:\tools\php72
   - copy php.ini-production php.ini /Y
   - echo date.timezone="UTC" >> php.ini

spec/Dunglas/AngularCsrfBundle/DependencyInjection/DunglasAngularCsrfExtensionSpec.php

@@ -60,6 +60,11 @@ public function it_loads(ContainerBuilder $container, ParameterBagInterface $par
             $container->addResource(Argument::type('Symfony\Component\Config\Resource\FileResource'))->shouldBeCalled();
         }
 
+        if (method_exists('Symfony\Component\DependencyInjection\ContainerBuilder', 'addRemovedBindingIds')) {
+            // Added in Symfony v4.2.6 and v3.4.25
+            $container->addRemovedBindingIds(Argument::type('string'))->willReturn(null);
+        }
+
         $container->getParameterBag()->willReturn($parameterBag)->shouldBeCalled();
         $container->hasExtension('http://symfony.com/schema/dic/services')->willReturn(false)->shouldBeCalled();
         $container->setParameter('dunglas_angular_csrf.token.id', $configs['dunglas_angular_csrf']['token']['id'])->shouldBeCalled();

spec/Dunglas/AngularCsrfBundle/EventListener/AngularCsrfCookieListenerSpec.php

@@ -79,7 +79,10 @@ public function it_sets_cookie_when_it_does(
         Response $response,
         ResponseHeaderBag $headers
     ) {
-        $headers->setCookie(Argument::type('Symfony\Component\HttpFoundation\Cookie'));
+        $headers->setCookie(Argument::allOf(
+            Argument::type('Symfony\Component\HttpFoundation\Cookie'),
+            Argument::which('getSameSite', 'lax')
+        ))->shouldBeCalled();
         $response->headers = $headers;
 
         $event->getRequestType()->willReturn(HttpKernelInterface::MASTER_REQUEST)->shouldBeCalled();