MilkCore

Token
in package

Generates a token that can be used to authenticate a user and protect forms from CSRF attacks.

In addition to the token, it also creates the token name.

Cross-Site Request Forgery (CSRF) attacks occur when a malicious actor induces an authenticated user to perform unwanted actions on a web application where they're authenticated, without their knowledge. The attacker exploits the user's active authentication to send unauthorized requests to a server.

Includes JWT support for microservices/API authentication. Can generate and validate JWT tokens with RS256 signature verification without database storage.

Tags
link
https://github.com/giuliopanda/milk-core

Table of Contents

Properties

$last_error  : string
Last error that occurred during operations

Methods

check()  : bool
Verifies if the CSRF token is correct by finding the variable name in the request and checking its value.
check_value()  : bool
Verifies if the CSRF token value is correct.
config()  : void
Configure keys for CSRF token generation
config_jwt()  : void
Configure JWT settings
generate_jwt()  : string|false
Generates a JWT token for a user
generate_key_pair()  : array<string|int, mixed>|false
Generates a public/private key pair for JWT
get()  : string
Generates a CSRF token for authenticating browser calls.
get_token_key()  : string
Returns a token key based on the form name
get_token_name()  : string
Returns the name of the variable in which the token is stored.
input()  : string
Generate a hidden input element for the CSRF token
verify_jwt()  : array<string|int, mixed>|false
Verifies a JWT token

Properties

$last_error

Last error that occurred during operations

public static string $last_error = ''

Methods

check()

Verifies if the CSRF token is correct by finding the variable name in the request and checking its value.

public static check(string $name) : bool
Parameters
$name : string

Form name

Return values
bool

True if the token is valid, false otherwise

check_value()

Verifies if the CSRF token value is correct.

public static check_value(string $token, string $name) : bool

Useful for AJAX requests where the token is passed directly.

Parameters
$token : string

Token value to verify

$name : string

Form name

Return values
bool

True if the token is valid, false otherwise

config()

Configure keys for CSRF token generation

public static config(string $secret_key, string $token_key) : void
Parameters
$secret_key : string

Secret key for encryption

$token_key : string

Key for token generation

config_jwt()

Configure JWT settings

public static config_jwt([string|null $private_key = null ][, string|null $public_key = null ][, int|null $expiration = null ]) : void

Sets the keys and expiration for JWT functionality

Parameters
$private_key : string|null = null

Private key content (null to use Config)

$public_key : string|null = null

Public key content (null to use Config)

$expiration : int|null = null

Token duration in seconds (null to use Config)

generate_jwt()

Generates a JWT token for a user

public static generate_jwt(int $user_id[, array<string|int, mixed> $additional_data = [] ]) : string|false
Parameters
$user_id : int

User ID

$additional_data : array<string|int, mixed> = []

Additional data to include in the token

Return values
string|false

JWT token or false on error

generate_key_pair()

Generates a public/private key pair for JWT

public static generate_key_pair() : array<string|int, mixed>|false
Return values
array<string|int, mixed>|false

Array with the keys or false on error

get()

Generates a CSRF token for authenticating browser calls.

public static get(string $name) : string

The token is formed by encrypting a JSON array containing [timestamp, formname].

Parameters
$name : string

Form name used to generate the token

Return values
string

Encrypted token

get_token_key()

Returns a token key based on the form name

public static get_token_key(string $name) : string
Parameters
$name : string

Form name

Return values
string

Token key

get_token_name()

Returns the name of the variable in which the token is stored.

public static get_token_name(string $name) : string

Generates a unique name based on the user agent and form name.

Parameters
$name : string

Form name

Return values
string

Generated token variable name

input()

Generate a hidden input element for the CSRF token

public static input(string $name) : string
Parameters
$name : string

Form name

Return values
string

HTML input element

verify_jwt()

Verifies a JWT token

public static verify_jwt(string $token) : array<string|int, mixed>|false
Parameters
$token : string

JWT token to verify

Return values
array<string|int, mixed>|false

Decoded payload or false if the token is invalid


        
On this page

Search results