Skip to content

Fix HMAC CSRF token payload#91

Open
samdark wants to merge 10 commits into
masterfrom
issue-32-update-csrf-docs
Open

Fix HMAC CSRF token payload#91
samdark wants to merge 10 commits into
masterfrom
issue-32-update-csrf-docs

Conversation

@samdark

@samdark samdark commented Jun 8, 2026

Copy link
Copy Markdown
Member
  • change HMAC CSRF tokens so the emitted payload contains expiration only, while the HMAC remains bound to the current identity
  • stop exposing the default session identity in decoded token payloads
  • update OWASP CSRF cheat sheet terminology/link and clarify HMAC token replay semantics

Fixes #32.

Copilot AI review requested due to automatic review settings June 8, 2026 09:39
@coderabbitai

coderabbitai Bot commented Jun 8, 2026

Copy link
Copy Markdown

Important

Review skipped

Auto reviews are disabled on this repository. Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: e191aa97-ec6d-4071-b230-56ec426d98bc

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch issue-32-update-csrf-docs

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This pull request updates the stateless HMAC CSRF token format so the emitted payload no longer exposes the session identity and instead carries only expiration metadata plus random data, while keeping the signature bound to the current identity. It also refreshes OWASP CSRF cheat-sheet wording/links and adds tests covering the new token semantics.

Changes:

  • Reworked HmacCsrfToken so token payload = {expiration}~{random} and the HMAC is computed using a session-bound identity without embedding it in the payload.
  • Added tests to ensure token values change per call and that decoded payloads do not contain the session identity.
  • Updated README/CHANGELOG to reflect the revised “HMAC signed token” terminology and OWASP link/semantics.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.

File Description
src/Hmac/HmacCsrfToken.php Changes HMAC token encoding/validation to avoid exposing identity and to include random payload + expiration.
tests/Hmac/HmacCsrfTokenTest.php Adds coverage for non-deterministic token values and verifying identity is not present in decoded payloads.
README.md Updates documentation terminology, OWASP link anchor, and clarifies replay semantics.
CHANGELOG.md Notes the bug fix for #32 and documentation update.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread src/Hmac/HmacCsrfToken.php Outdated
Comment thread src/Hmac/HmacCsrfToken.php Outdated
Comment thread CHANGELOG.md Outdated

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.

Comment thread src/Hmac/HmacCsrfToken.php Outdated
Comment thread README.md Outdated

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.

Comment thread README.md Outdated
Comment thread src/Hmac/HmacCsrfToken.php Outdated
Comment thread src/Hmac/HmacCsrfToken.php Outdated
Comment thread src/Hmac/HmacCsrfToken.php
@samdark samdark force-pushed the issue-32-update-csrf-docs branch from ed32def to 59e8766 Compare June 30, 2026 11:37
@codecov

codecov Bot commented Jun 30, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 100.00%. Comparing base (caab619) to head (eff25e5).

Additional details and impacted files
@@             Coverage Diff             @@
##              master       #91   +/-   ##
===========================================
  Coverage     100.00%   100.00%           
- Complexity        72        74    +2     
===========================================
  Files             10        10           
  Lines            196       196           
===========================================
  Hits             196       196           

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@samdark samdark requested a review from vjik June 30, 2026 11:43
@samdark samdark force-pushed the issue-32-update-csrf-docs branch 2 times, most recently from 6302059 to dd14ba4 Compare June 30, 2026 12:02
@samdark samdark force-pushed the issue-32-update-csrf-docs branch from dd14ba4 to 9cb384d Compare June 30, 2026 12:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Whether the package needs to be updated according to OWASP?

3 participants