Token
in package
Generates a token that can be used to authenticate a user and protect forms from CSRF attacks.
In addition to the token, it also creates the token name.
Cross-Site Request Forgery (CSRF) attacks occur when a malicious actor induces an authenticated user to perform unwanted actions on a web application where they're authenticated, without their knowledge. The attacker exploits the user's active authentication to send unauthorized requests to a server.
Includes JWT support for microservices/API authentication. Can generate and validate JWT tokens with RS256 signature verification without database storage.
Tags
Table of Contents
Properties
- $last_error : string
- Last error that occurred during operations
Methods
- check() : bool
- Verifies if the CSRF token is correct by finding the variable name in the request and checking its value.
- check_value() : bool
- Verifies if the CSRF token value is correct.
- config() : void
- Configure keys for CSRF token generation
- config_jwt() : void
- Configure JWT settings
- generate_jwt() : string|false
- Generates a JWT token for a user
- generate_key_pair() : array<string|int, mixed>|false
- Generates a public/private key pair for JWT
- get() : string
- Generates a CSRF token for authenticating browser calls.
- get_token_key() : string
- Returns a token key based on the form name
- get_token_name() : string
- Returns the name of the variable in which the token is stored.
- input() : string
- Generate a hidden input element for the CSRF token
- verify_jwt() : array<string|int, mixed>|false
- Verifies a JWT token
Properties
$last_error
Last error that occurred during operations
public
static string
$last_error
= ''
Methods
check()
Verifies if the CSRF token is correct by finding the variable name in the request and checking its value.
public
static check(string $name) : bool
Parameters
- $name : string
-
Form name
Return values
bool —True if the token is valid, false otherwise
check_value()
Verifies if the CSRF token value is correct.
public
static check_value(string $token, string $name) : bool
Useful for AJAX requests where the token is passed directly.
Parameters
- $token : string
-
Token value to verify
- $name : string
-
Form name
Return values
bool —True if the token is valid, false otherwise
config()
Configure keys for CSRF token generation
public
static config(string $secret_key, string $token_key) : void
Parameters
- $secret_key : string
-
Secret key for encryption
- $token_key : string
-
Key for token generation
config_jwt()
Configure JWT settings
public
static config_jwt([string|null $private_key = null ][, string|null $public_key = null ][, int|null $expiration = null ]) : void
Sets the keys and expiration for JWT functionality
Parameters
- $private_key : string|null = null
-
Private key content (null to use Config)
- $public_key : string|null = null
-
Public key content (null to use Config)
- $expiration : int|null = null
-
Token duration in seconds (null to use Config)
generate_jwt()
Generates a JWT token for a user
public
static generate_jwt(int $user_id[, array<string|int, mixed> $additional_data = [] ]) : string|false
Parameters
- $user_id : int
-
User ID
- $additional_data : array<string|int, mixed> = []
-
Additional data to include in the token
Return values
string|false —JWT token or false on error
generate_key_pair()
Generates a public/private key pair for JWT
public
static generate_key_pair() : array<string|int, mixed>|false
Return values
array<string|int, mixed>|false —Array with the keys or false on error
get()
Generates a CSRF token for authenticating browser calls.
public
static get(string $name) : string
The token is formed by encrypting a JSON array containing [timestamp, formname].
Parameters
- $name : string
-
Form name used to generate the token
Return values
string —Encrypted token
get_token_key()
Returns a token key based on the form name
public
static get_token_key(string $name) : string
Parameters
- $name : string
-
Form name
Return values
string —Token key
get_token_name()
Returns the name of the variable in which the token is stored.
public
static get_token_name(string $name) : string
Generates a unique name based on the user agent and form name.
Parameters
- $name : string
-
Form name
Return values
string —Generated token variable name
input()
Generate a hidden input element for the CSRF token
public
static input(string $name) : string
Parameters
- $name : string
-
Form name
Return values
string —HTML input element
verify_jwt()
Verifies a JWT token
public
static verify_jwt(string $token) : array<string|int, mixed>|false
Parameters
- $token : string
-
JWT token to verify
Return values
array<string|int, mixed>|false —Decoded payload or false if the token is invalid