create-prisma-php-app 4.3.1 → 4.3.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/bootstrap.php +17 -2
- package/package.json +1 -1
package/dist/bootstrap.php
CHANGED
|
@@ -139,8 +139,22 @@ final class Bootstrap extends RuntimeException
|
|
|
139
139
|
|
|
140
140
|
private static function setCsrfCookie(): void
|
|
141
141
|
{
|
|
142
|
-
|
|
143
|
-
|
|
142
|
+
$secret = $_ENV['FUNCTION_CALL_SECRET'] ?? 'pp_default_insecure_secret';
|
|
143
|
+
$shouldRegenerate = true;
|
|
144
|
+
|
|
145
|
+
if (isset($_COOKIE['prisma_php_csrf'])) {
|
|
146
|
+
$parts = explode('.', $_COOKIE['prisma_php_csrf']);
|
|
147
|
+
if (count($parts) === 2) {
|
|
148
|
+
[$nonce, $signature] = $parts;
|
|
149
|
+
$expectedSignature = hash_hmac('sha256', $nonce, $secret);
|
|
150
|
+
|
|
151
|
+
if (hash_equals($expectedSignature, $signature)) {
|
|
152
|
+
$shouldRegenerate = false;
|
|
153
|
+
}
|
|
154
|
+
}
|
|
155
|
+
}
|
|
156
|
+
|
|
157
|
+
if ($shouldRegenerate) {
|
|
144
158
|
$nonce = bin2hex(random_bytes(16));
|
|
145
159
|
$signature = hash_hmac('sha256', $nonce, $secret);
|
|
146
160
|
$token = $nonce . '.' . $signature;
|
|
@@ -152,6 +166,7 @@ final class Bootstrap extends RuntimeException
|
|
|
152
166
|
'httponly' => false,
|
|
153
167
|
'samesite' => 'Lax',
|
|
154
168
|
]);
|
|
169
|
+
|
|
155
170
|
$_COOKIE['prisma_php_csrf'] = $token;
|
|
156
171
|
}
|
|
157
172
|
}
|