Skip to content

Commit

Permalink
Merge pull request #1 from tbreuss/develop
Browse files Browse the repository at this point in the history 
CSRF protection
  • Loading branch information
@tbreuss
tbreuss authored Mar 7, 2020
2 parents fdc7bf1 + ba8701e commit d42317f
Show file tree
Hide file tree
Showing 3 changed files with 193 additions and 5 deletions.
3 changes: 3 additions & 0 deletions Inertia.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -59,6 +59,9 @@ public function responseBeforeSendHandler($event)
$response = $event->sender;

if (!$request->headers->has('X-Inertia')) {
if ($request->enableCsrfValidation) {
$request->getCsrfToken(true);
}
return;
}

Expand Down
151 changes: 146 additions & 5 deletions README.md
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,13 @@
# Inertia.js Yii 2 Adapter

This is the Yii 2 server-side adapter for [Inertia](https://inertiajs.com).

With Inertia you are able to build single-page apps using classic server-side routing and controllers, without building an API.

To use Inertia you need both a server-side adapter as well as a client-side adapter.

Be sure to follow the installation instructions for the [client-side framework](https://inertiajs.com/client-side-setup) you use.

## Demo

<https://pingcrm-yii2.tebe.ch>
Expand All @@ -23,15 +29,28 @@ return [
'bootstrap' => ['inertia']
...
'components' => [
'inertia' => [
'class' => 'tebe\inertia\Inertia'
]
'inertia' => [
'class' => 'tebe\inertia\Inertia'
],
'request' => [
'cookieValidationKey' => '<cookie_validation_key>',
'enableCsrfValidation' => false,
'enableCsrfCookie' => false,
'parsers' => [
'application/json' => 'yii\web\JsonParser',
]
]
]
...
];
```

Extend controllers from tebe\inertia\web\Controller:
Note that CSRF protection is disabled.

## Controllers

Your backend controllers should extend from `tebe\inertia\web\Controller`.
Instead of the render method within your actions you should use the `inertia` method.

```php
<?php
Expand All @@ -53,6 +72,128 @@ class DemoController extends Controller
}
```

Implement client using one of the official adapters like Vue.js, React, or Svelte.
## Routing

Use your Yii server-side routes as usual.
There is nothing special.

## CSRF protection

Axios is the HTTP library that Inertia uses under the hood.
Yii's CSRF protection is not optimized for Axios.

The easiest way to implement CSRF protection is using the customized `tebe\inertia\web\Request` component.
Simply edit `config/web.php` file:

```php
<?php
return [
'components' => [
'request' => [
'class' => 'tebe\inertia\web\Request',
'cookieValidationKey' => '<cookie_validation_key>'
]
]
];
```

Please see the [security page](https://inertiajs.com/security) for more details.

### Shared data

The Yii 2 adapter provides a way to preassign shared data for each request.
This is typically done outside of your controllers.
Shared data will be automatically merged with the page props provided in your controller.

Massive assignment of shared data:

```php
<?php
$shared = [
'user' => [
'id' => $this->getUser()->id,
'first_name' => $this->getUser()->firstName,
'last_name' => $this->getUser()->lastName,
],
'flash' => $this->getFlashMessages(),
'errors' => $this->getFormErrors(),
'filters' => $this->getGridFilters()
];
Yii::$app->get('inertia')->share($shared);
```

Shared data for one key:

```php
<?php
$user = [
'id' => $this->getUser()->id,
'first_name' => $this->getUser()->firstName,
'last_name' => $this->getUser()->lastName
];
Yii::$app->get('inertia')->share('user', $user);
```

A good strategy when using shared data outside of your controllers is to implement an action filter.

```php
<?php

namespace app\components;

use yii\base\ActionFilter;

class SharedDataFilter extends ActionFilter
{
public function beforeAction()
{
$shared = [
'user' => $this->getUser(),
'flash' => $this->getFlashMessages(),
'errors' => $this->getFormErrors()
];
Yii::$app->get('inertia')->share($shared);
return true;
}
}
```

And then use this action filter as a behaviour in your controller.

```php
<?php

namespace app\controllers;

use app\components\SharedDataFilter;
use tebe\inertia\web\Controller;

class ContactController extends Controller
{
public function behaviors()
{
return [
[
'class' => SharedDataFilter::class
]
];
}

public function actionIndex()
{
// your action code
}
}
```

Please see the [shared data page](https://inertiajs.com/shared-data) for more details.

## Client-side setup

To use Inertia you need to setup your client-side framework.
This primarily includes updating your main JavaScript file to boot the Inertia app.
Please see the [client-side setup page](https://inertiajs.com/client-side-setup) for more details.

## More about Inertia

Visit [inertiajs.com](https://inertiajs.com/) to learn more.
44 changes: 44 additions & 0 deletions web/Request.php
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
<?php

namespace tebe\inertia\web;

use Yii;

class Request extends \yii\web\Request
{
const CSRF_HEADER = 'X-XSRF-TOKEN';

public $csrfParam = 'XSRF-TOKEN';

public $csrfCookie = ['httpOnly' => false];

public function init()
{
$this->parsers['application/json'] = 'yii\web\JsonParser';
}

/**
* @return string the CSRF token sent via [[CSRF_HEADER]] by browser. Null is returned if no such header is sent.
*/
public function getCsrfTokenFromHeader()
{
$token = $this->headers->get(static::CSRF_HEADER);

$data = Yii::$app->getSecurity()->validateData($token, $this->cookieValidationKey);
if ($data === false) {
return null;
}

if (defined('PHP_VERSION_ID') && PHP_VERSION_ID >= 70000) {
$data = @unserialize($data, ['allowed_classes' => false]);
} else {
$data = @unserialize($data);
}

if (is_array($data) && isset($data[0], $data[1]) && $data[0] === $this->csrfParam) {
return Yii::$app->security->maskToken($data[1]);
}

return null;
}
}

0 comments on commit d42317f

Please sign in to comment.