Security - Lemonade Framework

Security

Security primitives, CSRF protection, bezpečné hranice request processingu a poznámky k autentizaci.

Overview

Framework security module focuses mainly on CSRF protection and small crypt helpers (BaseCrypt). It is not a complete authentication/authorization system.

Registered services

SecurityServiceProvider registers CsrfTokenManager, CsrfMiddleware, CsrfViewHelper and alias csrf (to CsrfViewHelper).

$container->singleton(CsrfTokenManager::class, CsrfTokenManager::class);
$container->singleton(CsrfMiddleware::class, CsrfMiddleware::class);
$container->singleton(CsrfViewHelper::class, CsrfViewHelper::class);
$container->singleton('csrf', CsrfViewHelper::class);

CSRF protection

CsrfTokenManager stores tokens in session (_csrf_tokens), generates missing tokens, validates submitted token and can regenerate/forget token names.

$token = $tokens->token(); // default token name
$isValid = $tokens->validate($submittedToken);

if ($isValid) {
    $tokens->regenerate();
}

CSRF middleware

CsrfMiddleware validates unsafe HTTP methods (POST, PUT, PATCH, DELETE). Token is read from body field LEMONADE_CSRF or header X-CSRF-Token. On mismatch it returns 419 CSRF token mismatch.

$router
    ->postNamed('contact.submit', '/contact', ContactController::class . '@submit')
    ->middleware(CsrfMiddleware::class);

CSRF in views

CSRF helper is available both via global helpers (csrf_field, csrf_token) and via shared view variable csrf (CsrfViewHelper).

<form method="post" action="/contact/send">
    <?= $helpers->csrfField() ?>
    <input type="text" name="name">
</form>

<!-- equivalent with shared helper -->
<?= $csrf->field() ?>

Usage through dependency injection

Security services can be used directly through constructor injection in application services/controllers.

final class FormCsrfService
{
    public function __construct(
        private readonly CsrfTokenManager $tokens,
    ) {
    }

    public function tokenFor(string $name): string
    {
        return $this->tokens->token($name);
    }
}

Session relation

CSRF token storage depends on SessionInterface. Session module must be configured correctly for CSRF to work across requests.

HTTP security middleware notes

CORS (CorsMiddleware) and framework identification header (PoweredByMiddleware) belong to HTTP module (HttpServiceProvider), not SecurityServiceProvider.

Boundaries

Authentication, roles/permissions, JWT, OAuth, login flow and ACL are application-level concerns unless implemented separately in app code.