Add csrf_header() and csrf_meta() helper functions

2025-02-20 11:44:28 +08:00 · 2019-09-28 08:05:27 +02:00 · 2019-09-28 08:05:27 +02:00 · 5025c33834
commit 5025c33834
parent 198c2648c0
3 changed files with 62 additions and 0 deletions
--- a/system/Common.php
+++ b/system/Common.php
@ -723,6 +723,25 @@ if (! function_exists('csrf_token'))

 //--------------------------------------------------------------------

+if (! function_exists('csrf_header'))
+{
+	/**
+	 * Returns the CSRF header name.
+	 * Can be used in Views by adding it to the meta tag
+	 * or used in javascript to define a header name when using APIs.
+	 *
+	 * @return string
+	 */
+	function csrf_header(): string
+	{
+		$config = config(App::class);
+
+		return $config->CSRFHeaderName;
+	}
+}
+
+//--------------------------------------------------------------------
+
 if (! function_exists('csrf_hash'))
 {
 	/**
@ -759,6 +778,23 @@ if (! function_exists('csrf_field'))

 //--------------------------------------------------------------------

+if (! function_exists('csrf_meta'))
+{
+	/**
+	 * Generates a meta tag for use within javascript calls.
+	 *
+	 * @param string|null $id
+	 *
+	 * @return string
+	 */
+	function csrf_meta(string $id = null): string
+	{
+		return '<meta' . (! empty($id) ? ' id="' . esc($id, 'attr') . '"' : '') . ' name="' . csrf_header() . '" content="' . csrf_hash() . '" />';
+	}
+}
+
+//--------------------------------------------------------------------
+
 if (! function_exists('force_https'))
 {
 	/**
--- a/tests/system/CommonFunctionsTest.php
+++ b/tests/system/CommonFunctionsTest.php
@ -251,6 +251,11 @@ class CommonFunctionsTest extends \CIUnitTestCase
 		$this->assertEquals('csrf_test_name', csrf_token());
 	}

+	public function testCSRFHeader()
+	{
+		$this->assertEquals('X-CSRF-TOKEN', csrf_header());
+	}
+
 	public function testHash()
 	{
 		$this->assertEquals(32, strlen(csrf_hash()));
@ -261,6 +266,11 @@ class CommonFunctionsTest extends \CIUnitTestCase
 		$this->assertContains('<input type="hidden" ', csrf_field());
 	}

+	public function testCSRFMeta()
+	{
+		$this->assertContains('<meta name="X-CSRF-TOKEN" ', csrf_meta());
+	}
+
 	// ------------------------------------------------------------------------

 	/**
--- a/user_guide_src/source/general/common_functions.rst
+++ b/user_guide_src/source/general/common_functions.rst
@ -176,6 +176,13 @@ Miscellaneous Functions

 	Returns the name of the current CSRF token.

+.. php:function:: csrf_header ()
+
+	:returns: The name of the header for current CSRF token.
+	:rtype: string
+
+	The name of the header for current CSRF token.
+
 .. php:function:: csrf_hash ()

 	:returns: The current value of the CSRF hash.
@ -192,6 +199,15 @@ Miscellaneous Functions

 		<input type="hidden" name="{csrf_token}" value="{csrf_hash}">

+.. php:function:: csrf_meta ()
+
+	:returns: A string with the HTML for meta tag with all required CSRF information.
+	:rtype: string
+
+	Returns a meta tag with the CSRF information already inserted:
+
+		<meta name="{csrf_header}" content="{csrf_hash}">
+
 .. php:function:: force_https ( $duration = 31536000 [, $request = null [, $response = null]] )

 	:param  int  $duration: The number of seconds browsers should convert links to this resource to HTTPS.