Improve the csrf_field helper

mzur · mzur · commit d3be958c4dc2 · 2017-01-12T14:47:24.000+01:00
The helper can now be called multiple times during a single request
and always output the valid CSRF token. Before, every call
generated a new token, making all previous tokens invalid.
diff --git a/src/helpers.php b/src/helpers.php
@@ -8,14 +8,20 @@
     /**
      * Generate a CSRF token form field.
      *
-     * @param string $token The CSRF token. If empty a new one will be generated.
+     * This function can be called multiple times and will reuse the same token during a
+     * single request.
+     *
+     * @param string $t The CSRF token to use. If empty a new one will be generated and reused for the duration of a request.
      *
      * @return string
      */
-    function csrf_field($token = null)
+    function csrf_field($t = null)
     {
+        // remember the token for multipme function calls
+        static $token = null;
         $token = $token ?: csrf();
-        return '<input type="hidden" name="'.Form::CSRF_FIELD.'" value="'.$token.'">';
+        // the token parameter overrides the generated token
+        return '<input type="hidden" name="'.Form::CSRF_FIELD.'" value="'.($t ?: $token).'">';
     }
 }
 
diff --git a/tests/HelperTest.php b/tests/HelperTest.php
@@ -4,11 +4,18 @@
 
 class HelperTest extends TestCase
 {
-    public function testFunction ()
+    public function testFunction()
     {
         $this->assertTrue(function_exists('csrf_field'));
         $this->assertTrue(function_exists('honeypot_field'));
         $this->assertTrue(function_exists('uniform_captcha'));
         $this->assertTrue(function_exists('captcha_field'));
     }
+
+    public function testCsrfField()
+    {
+        // the token should not be regenerated during a single request
+        $this->assertEquals(csrf_field(), csrf_field());
+        $this->assertContains('value="abc"', csrf_field('abc'));
+    }
 }

Original file line number	Diff line number	Diff line change
`@@ -8,14 +8,20 @@`
`8`	`8`	`/**`
`9`	`9`	`* Generate a CSRF token form field.`
`10`	`10`	`*`
`11`		`- * @param string $token The CSRF token. If empty a new one will be generated.`
	`11`	`+ * This function can be called multiple times and will reuse the same token during a`
	`12`	`+ * single request.`
	`13`	`+ *`
	`14`	`+ * @param string $t The CSRF token to use. If empty a new one will be generated and reused for the duration of a request.`
`12`	`15`	`*`
`13`	`16`	`* @return string`
`14`	`17`	`*/`
`15`		`- function csrf_field($token = null)`
	`18`	`+ function csrf_field($t = null)`
`16`	`19`	`{`
	`20`	`+ // remember the token for multipme function calls`
	`21`	`+ static $token = null;`
`17`	`22`	`$token = $token ?: csrf();`
`18`		`- return '<input type="hidden" name="'.Form::CSRF_FIELD.'" value="'.$token.'">';`
	`23`	`+ // the token parameter overrides the generated token`
	`24`	`+ return '<input type="hidden" name="'.Form::CSRF_FIELD.'" value="'.($t ?: $token).'">';`
`19`	`25`	`}`
`20`	`26`	`}`
`21`	`27`
Original file line number	Diff line number	Diff line change
`@@ -4,11 +4,18 @@`
`4`	`4`
`5`	`5`	`class HelperTest extends TestCase`
`6`	`6`	`{`
`7`		`- public function testFunction ()`
	`7`	`+ public function testFunction()`
`8`	`8`	`{`
`9`	`9`	`$this->assertTrue(function_exists('csrf_field'));`
`10`	`10`	`$this->assertTrue(function_exists('honeypot_field'));`
`11`	`11`	`$this->assertTrue(function_exists('uniform_captcha'));`
`12`	`12`	`$this->assertTrue(function_exists('captcha_field'));`
`13`	`13`	`}`
	`14`	`+`
	`15`	`+ public function testCsrfField()`
	`16`	`+ {`
	`17`	`+ // the token should not be regenerated during a single request`
	`18`	`+ $this->assertEquals(csrf_field(), csrf_field());`
	`19`	`+ $this->assertContains('value="abc"', csrf_field('abc'));`
	`20`	`+ }`
`14`	`21`	`}`