diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index cf02450..781e9da 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -9,7 +9,7 @@ jobs: strategy: fail-fast: false matrix: - php: [7.4, 8.0, 8.1] + php: [7.4, 8.0, 8.1, 8.2, 8.3] steps: - name: Checkout diff --git a/CHANGELOG.md b/CHANGELOG.md index c577ad7..1d19067 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,22 +1,62 @@ # Change Log -## 2016-08-14 +See https://github.com/slimphp/Slim-Csrf/releases for a full list -Now supports "persistence mode", to persist a single CSRF name/value pair throughout the life of a user's session. Added the following methods: +## Next -- `protected getLastKeyPair` - gets the most recently generated key/value pair from storage. -- `protected loadLastKeyPair` - gets the most recently generated key/value pair from storage, and assign it to `$this->keyPair`. -- `public setPersistentTokenMode` -- `public getPersistentTokenMode` +- Added: Support for PHP 8.2 and 8.3 -Note that if CSRF token validation fails, then the token should be renewed regardless of the persistence setting. +## 1.4.0 -The methods `getTokenName` and `getTokenValue` now return `null` if `$this->keyPair` has not yet been set. +- Added: Allow to set token name and value in header -### Tests added: +## 1.3.0 + +- Added: Support for PSR-12 +- Added: Add XOR to token to avoid BREACH attack +- Change: PHP 7.3 is no longer supported + +## 1.2.1 + +- Added: Implement iterator support for getLastKeyPair + +## 1.2.0 + +- Added: Support PHP 8 +- Changed: Remove support for PHP 7.1 and 7.2 + +## 1.1.0 + +- Changed: `remoteTokenFromStorage()` is now public +- Changed: Don't allow token in the body of a GET request +- Fixed: Prevent replay attack by removing token on valdiation + +## 1.0.0 + +- Added: PSR-15 support + +## 0.8.3 + + - Fixed: Widen random_compat constraint in composer.json + +## 0.8.2 + +- Fixed: Attach token name and value to request when persist mode is on + +## 0.8.1 + +- Fixed: Default stroageis now $_SESSION again + +## 0.8.0 + +- Added: Now supports "persistence mode", to persist a single CSRF name/value pair throughout the life of a user's session. Added the following methods: + + - `protected getLastKeyPair` - gets the most recently generated key/value pair from storage. + - `protected loadLastKeyPair` - gets the most recently generated key/value pair from storage, and assign it to `$this->keyPair`. + - `public setPersistentTokenMode` + - `public getPersistentTokenMode` + + Note that if CSRF token validation fails, then the token should be renewed regardless of the persistence setting. + + The methods `getTokenName` and `getTokenValue` now return `null` if `$this->keyPair` has not yet been set. -- `testPersistenceModeTrueBetweenRequestsArray` - Token should persist between requests after initial creation, when stored in an array. -- `testPersistenceModeTrueBetweenRequestsArrayAccess` - Token should persist between requests after initial creation, when stored in an ArrayObject. -- `testPersistenceModeFalseBetweenRequestsArray` - Token should be changed between requests, when stored in an array. -- `testPersistenceModeFalseBetweenRequestsArrayAccess` - Token should be changed between requests, when stored in an ArrayObject. -- `testUpdateAfterInvalidTokenWithPersistenceModeTrue` - New token should be generated after an invalid request, even if persistence mode is enabled. \ No newline at end of file diff --git a/composer.json b/composer.json index 45f9f75..4e35bd4 100644 --- a/composer.json +++ b/composer.json @@ -18,7 +18,7 @@ "require": { "php": "^7.4 || ^8.0", "psr/http-factory": "^1.0", - "psr/http-message": "^1.0", + "psr/http-message": "^1.0 || ^2.0", "psr/http-server-handler": "^1.0", "psr/http-server-middleware": "^1.0" },