Releases: mvc5/mvc5-application
Route Authentication, Login Redirect
Routes that should only be available to logged in users can be protected by setting the authenticate route attribute to true. Child routes are automatically protected and can override the parent value.
'dashboard' => [
'path' => '/dashboard',
'authenticate' => true,
'children' => [
'add' => [
'path' => '/add'
]
]
]
If the user is not logged in, and it is a GET request and not a JSON request, the current URL is stored in the session and the user is redirected to the login page. Once the user has logged in, they are redirected back to the URL that is stored in the session. The default login URL is /login, and it can be changed by adding the URL to the route\match\authenticate service configuration.
'route\match\authenticate' => [Mvc5\Route\Match\Authenticate::class, '/login']
CSRF Token, SameSite Cookie
CSRF Token
A CSRF token is now used to protect routes against CSRF attacks. A new token is generated every time a new PHP session is created for the user. The token is then added to a POST form using a hidden HTML input element. The csrf_token helper function can be used to retrieve the current token.
<input type="hidden" name="csrf_token" value="<?php echo htmlspecialchars($this->csrf_token()); ?>">The HTTP methods GET, HEAD, OPTIONS and TRACE, are considered "safe" and do not require a CSRF token. Safe HTTP methods should not be used to change the state of the application. Any other HTTP method is considered "unsafe" and requires a CSRF token to be sent with the request, either as a POST parameter, or using the X-CSRF-Token HTTP header. A 403 Forbidden HTTP Error is returned when the token is not valid.
new Request([
'method' => 'POST',
'data' => ['csrf_token' => '882023fdc5f837855a...'],
'headers' => ['X-CSRF-Token' => '882023fdc5f837855a...'],
]);Routes can be configured not to verify the CSRF token by setting the csrf_token route attribute to false. Child routes inherit the csrf_token value of a parent route.
'api' => [
'path' => '/api',
'controller' => Api\Controller::class,
'csrf_token' => false,
],SameSite Cookies
The Cookies interface has been updated to match the new setcookie(string $name, string $value = '', array $options = []) method signature available in PHP 7.3, and to support the new SameSite cookie attribute. PHP 7.2 and below can still be used, but without the SameSite cookie attribute. A cookie can now be set in the following ways, and each cookie is stored as an associative array.
$cookies->with('foo', '', ['expires' => 0, ...]);
$cookies->with(['foo', '', 0, ...]);
$cookies->with(['name' => 'foo', 'value' => '', 'expires' => 0, 'raw' => true, ...]);
The PHPCookies::send(array $cookie, array $defaults = []) static method can now set raw cookies by setting the cookie raw attribute to true. To remove a PHP cookie, use PHPCookies::delete($name, array $options = []) or $cookies->without($name, array $options = []). Cookie defaults are now only applied when sending a cookie. The default value for SameSite cookies is lax.
PHP Sessions
To use SameSite session cookies in PHP 7.3, set the cookie_samesite attribute to lax or strict in the session configuration file.
Docker Compose PHP Release Version
The Docker Compose file now uses a configuration variable for the PHP release version, and the Composer directory.
Optional Xdebug Configuration
Make Xdebug optional (for PHP 7.3)
Extra Hosts & Docker Image Name
Add extra hosts and image to docker compose file.
Shared Composer Directory
The Composer directory ~/.composer is now shared with the container so that packages can be cached and reused.
Locale, Time Zone & PHP info
A /phpinfo page has been added. The LOCALE for the project container can be now be set in the docker compose file and the TZ build var has been renamed to TIME_ZONE.
favicon
Docker Project
A new Docker project has been created for testing the Mvc5 Framework with different versions of PHP. It uses Traefik and Let's Encrypt SSL certificates. There are also some bin scripts to run Composer, PHPUnit, and npm inside the container.
Bootstrap 4.1.3
Bootstrap 4.1.3 (also fixes non https link).