PHP Class lithium\security\validation\FormSignature

Using the Security helper, FormSignature calculates a hash of all fields in a form, so that when the form is submitted, the fields may be validated to ensure that none were added or removed, and that fields designated as _locked_ have not had their values altered. To enable form signing in a view, simply call $this->security->sign() before generating your form. In the controller, you may then validate the request by passing $this->request to the check() method.

See also: lithium\template\helper\Security::sign()

Datei anzeigen Open project: unionofrad/lithium Class Usage Examples

Protected Properties

Property	Type	Description
$_classes	array	Class dependencies.
$_secret	string	wJalrXUtnFEMI/K7MDENG+bPxRfiCYEXAMPLEKEY

Public Methods

Method	Description
check ( array \| object $data ) : boolean	Validates form data using an embedded form signature string. The form signature string must be embedded in security.signature alongside the other data to check against.
config ( array $config = [] ) : array \| void	Configures the class or retrieves current class configuration.
key ( array $data ) : string	Generates form signature string from form data.

Protected Methods

Method	Description
_compile ( array $fields, array $locked, array $excluded ) : string	Compiles form signature string. Will normalize input data and urlencode() it.
_parse ( string $string ) : array	Parses form signature string.
_signature ( string $data ) : string	Calculates signature over given data.

Method Details

_compile() protected static method

The signature is calculated over locked and exclude fields as well as a hash of $fields. The $fields data will not become part of the final form signature string. The $fields hash is not signed itself as the hash will become part of the form signature string which is already signed.

protected static _compile ( array $fields, array $locked, array $excluded ) : string
$fields	array
$locked	array
$excluded	array
return	string	The compiled form signature string that should be submitted with the form data in the form of: `::::`.

_parse() protected static method

Note: The parsed signature is not returned as it's not needed. The signature is verified by re-compiling the form signature string with the retrieved signature.

protected static _parse ( string $string ) : array
$string	string
return	array

_signature() protected static method

Will first derive a signing key from the secret key and current date, then calculate the HMAC over given data. This process is modelled after Amazon's _Message Signature Version 4_ but uses less key derivations as we don't have more information at our hands. During key derivation the strings li3,1 and li3,1_form are inserted. 1 denotes the version of our signature algorithm and should be raised when the algorithm is changed. Derivation is needed to not reveal the secret key. Note: As the current date (year, month, day) is used to increase key security by limiting its lifetime, a possible sideeffect is that a signature doen't verify if it is generated on day N and verified on day N+1.

See link: http://docs.aws.amazon.com/general/latest/gr/sigv4-calculate-signature.html

protected static _signature ( string $data ) : string
$data	string	The data to calculate the signature for.
return	string	The signature.

check() public static method

Note: Will ignore any other data inside security.*.

public static check ( array \| object $data ) : boolean
$data	array \| object	The form data as an array or an object with the data inside the `data` property.
return	boolean	`true` if the form data is valid, `false` if not.

config() public static method

Configures the class or retrieves current class configuration.

public static config ( array $config = [] ) : array \| void
$config	array	Available configuration options are: - `'classes'` _array_: May be used to inject dependencies. - `'secret'` _string_: Must be provided.
return	array \| void	If `$config` is empty, returns an array with the current configurations.

key() public static method

Generates form signature string from form data.

public static key ( array $data ) : string
$data	array	An array of fields, locked fields and excluded fields.
return	string	The form signature string.

Property Details

$_classes protected_oe static_oe property

Class dependencies.

protected static array $_classes
return	array

$_secret protected_oe static_oe property

wJalrXUtnFEMI/K7MDENG+bPxRfiCYEXAMPLEKEY

protected static string $_secret
return	string