Skip to content

Document HMAC CSRF token selection#90

Merged
samdark merged 9 commits into
masterfrom
issue-84-hmac-default
Jun 8, 2026
Merged

Document HMAC CSRF token selection#90
samdark merged 9 commits into
masterfrom
issue-84-hmac-default

Conversation

@samdark

@samdark samdark commented Jun 7, 2026
edited
Loading

Copy link
Copy Markdown
Member
Q A
Bug fix? no
New feature? no
Issues Refs #84

What changed

  • Documented HMAC vs synchronizer performance and security tradeoffs.
  • Added a Mermaid yes/no decision graph for choosing the token validation method.
  • Added an opt-in config snippet for using HMAC with MaskedCsrfToken.
  • Documented recommended HMAC parameters: per-environment secret key and short lifetime.

The config-plugin default remains synchronizer token to avoid a behavioral BC break for applications that rely on
stateful token semantics.

Verification

  • vendor/bin/phpunit tests/ConfigTest.php --testdox
  • vendor/bin/phpunit --testdox
  • git diff --check

Earlier verification also exercised HMAC in a real PHP app with a real session cookie, rendered form token, and
CsrfTokenMiddleware: valid token returned 200 accepted, invalid token returned 422 Unprocessable entity.

Copilot AI review requested due to automatic review settings June 7, 2026 23:13
@coderabbitai

coderabbitai Bot commented Jun 7, 2026
edited
Loading

Copy link
Copy Markdown

Important

Review skipped

Auto reviews are disabled on this repository. Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 7c22e364-131c-474a-be22-1feecfbca8a1

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch issue-84-hmac-default

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

Copilot AI reviewed Jun 7, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR switches the config-plugin’s default CSRF token implementation from the synchronizer pattern to a masked HMAC token, updates the default HMAC parameters (env-based secret + short lifetime), and expands documentation and tests to reflect the new defaults.

Changes:

  • Default CsrfTokenInterface binding now decorates HmacCsrfToken with MaskedCsrfToken.
  • HMAC defaults now read YII_CSRF_SECRET_KEY and use a 300-second lifetime.
  • README documentation and config tests updated to cover the new default behavior and env-based secret configuration.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.

File Description
config/di-web.php Switches the default DI binding to use HmacCsrfToken under MaskedCsrfToken.
config/params.php Changes HMAC parameter defaults to read the secret from YII_CSRF_SECRET_KEY and sets a 300s lifetime.
README.md Documents HMAC vs synchronizer tradeoffs and how to switch back to synchronizer.
tests/ConfigTest.php Adds coverage to ensure the default decorated token is HMAC and that the secret can come from the environment.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread config/params.php Outdated
Comment on lines +8 to +10
'secretKey' => (string) getenv('YII_CSRF_SECRET_KEY'),
'algorithm' => 'sha256',
'lifetime' => null,
'lifetime' => 300,
Comment thread tests/ConfigTest.php Outdated
Comment on lines +32 to +33
$this->assertInstanceOf(MaskedCsrfToken::class, $csrfToken);
$this->assertInstanceOf(HmacCsrfToken::class, $this->getDecoratedToken($csrfToken));
Comment thread README.md Outdated
Comment on lines +157 to +160
Use HMAC when protected forms are available only to authenticated users, token revocation on logout is not required,
and every environment has its own secret key. The default config reads the key from `YII_CSRF_SECRET_KEY`.
Set it to a high-entropy value and keep `yiisoft/csrf` `hmacToken` `lifetime` short, typically a few minutes.

@samdark samdark changed the title Switch default CSRF token to HMAC Document HMAC CSRF token selection Jun 8, 2026
samdark
samdark commented Jun 8, 2026
View reviewed changes
Comment thread README.md Outdated
Comment thread README.md Outdated
samdark added 2 commits June 8, 2026 11:09
@samdark
Apply suggestions from code review
ddc3942 
Co-authored-by: Alexander Makarov <sam@rmcreative.ru>
@samdark
Clarify CSRF token reuse wording
a5b227e
@samdark samdark merged commit 10fae9b into master Jun 8, 2026
3 checks passed
@samdark samdark deleted the issue-84-hmac-default branch June 8, 2026 08:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@samdark