Merge pull request #11 from wdhaoui/feature/add-http-only-config

feat(Cookies): add new option httpOnly
dneustadt · Jun 21, 2023 · 58c4b2b · 58c4b2b
2 parents b43623f + 3f8ccd0
commit 58c4b2b
Show file tree

Hide file tree

Showing 5 changed files with 13 additions and 1 deletion.
diff --git a/DependencyInjection/Configuration.php b/DependencyInjection/Configuration.php
@@ -23,6 +23,7 @@ public function getConfigTreeBuilder(): TreeBuilder
             ->integerNode('expire')->defaultValue(0)->end()
             ->scalarNode('path')->cannotBeEmpty()->defaultValue('/')->end()
             ->scalarNode('domain')->defaultNull()->end()
+            ->booleanNode('httpOnly')->defaultFalse()->end()
             ->booleanNode('secure')->defaultFalse()->end()
             ->scalarNode('header')->cannotBeEmpty()->defaultValue('X-XSRF-TOKEN')->end()
             ->scalarNode('sameSite')->cannotBeEmpty()->defaultValue(Cookie::SAMESITE_LAX)->end()

diff --git a/DependencyInjection/DneustadtCsrfCookieExtension.php b/DependencyInjection/DneustadtCsrfCookieExtension.php
@@ -22,6 +22,7 @@ public function load(array $configs, ContainerBuilder $container): void
         $container->setParameter('dneustadt_csrf_cookie.expire', $config['expire']);
         $container->setParameter('dneustadt_csrf_cookie.path', $config['path']);
         $container->setParameter('dneustadt_csrf_cookie.domain', $config['domain']);
+        $container->setParameter('dneustadt_csrf_cookie.httpOnly', $config['httpOnly']);
         $container->setParameter('dneustadt_csrf_cookie.secure', $config['secure']);
         $container->setParameter('dneustadt_csrf_cookie.header', $config['header']);
         $container->setParameter('dneustadt_csrf_cookie.sameSite', $config['sameSite']);

diff --git a/README.md b/README.md
@@ -40,6 +40,8 @@ dneustadt_csrf_cookie:
     path: /
     # Cookie domain
     domain: null
+    # Cookie HttpOnly
+    httpOnly: true
     # Cookie secure
     secure: false
     # Name of the HTTP header the token is expected to be stored in

diff --git a/Resources/config/services.yaml b/Resources/config/services.yaml
@@ -11,6 +11,7 @@ services:
             $cookieExpire: '%dneustadt_csrf_cookie.expire%'
             $cookiePath: '%dneustadt_csrf_cookie.path%'
             $cookieDomain: '%dneustadt_csrf_cookie.domain%'
+            $cookieHttpOnly: '%dneustadt_csrf_cookie.httpOnly%'
             $cookieSecure: '%dneustadt_csrf_cookie.secure%'
             $cookieHeader: '%dneustadt_csrf_cookie.header%'
             $cookieSameSite: '%dneustadt_csrf_cookie.sameSite%'

diff --git a/Service/CsrfRequestEvaluator.php b/Service/CsrfRequestEvaluator.php
@@ -52,6 +52,11 @@ class CsrfRequestEvaluator
      */
     protected $cookieDomain;
 
+    /**
+     * @var bool
+     */
+    protected $cookieHttpOnly;
+
     /**
      * @var bool
      */
@@ -75,6 +80,7 @@ public function __construct(
         int $cookieExpire,
         string $cookiePath,
         ?string $cookieDomain,
+        bool $cookieHttpOnly,
         bool $cookieSecure,
         string $cookieHeader,
         string $cookieSameSite
@@ -86,6 +92,7 @@ public function __construct(
         $this->cookieExpire = $cookieExpire;
         $this->cookiePath = $cookiePath;
         $this->cookieDomain = $cookieDomain;
+        $this->cookieHttpOnly = $cookieHttpOnly;
         $this->cookieSecure = $cookieSecure;
         $this->cookieHeader = $cookieHeader;
         $this->cookieSameSite = $cookieSameSite;
@@ -143,7 +150,7 @@ public function setCookie(Request $request, Response $response): void
                 $this->cookiePath,
                 $this->cookieDomain,
                 $this->cookieSecure,
-                false,
+                $this->cookieHttpOnly,
                 false,
                 $this->cookieSameSite
             )