Define all Cookie arguments explicitly (#58)

* Define all Cookie arguments explicitly This adds support for Symfony 4.2, which deprecates not defining all the arguments as some of their default values are scheduled to change in Symfony 5.0. * Set Cookie $sameSite as `lax` instead of null This is the default value as of Symfony 4.2, and makes cookies safer as they won't be sent along with cross-site requests. Also, added missing prediction when registering the cookie in the ResponseHeaderBag. * Define PHP version in cinst instruction This ensures appveyor uses PHP 7.2 and not a default version(currently 7.3) * Fixed tests after new method call in Symfony 4.2.6 and 3.4.25
dunglas · May 6, 2019 · a329aa2 · a329aa2
1 parent 4d50e23
commit a329aa2
Show file tree

Hide file tree

Showing 4 changed files with 13 additions and 3 deletions.
diff --git a/EventListener/AngularCsrfCookieListener.php b/EventListener/AngularCsrfCookieListener.php
@@ -102,7 +102,9 @@ public function onKernelResponse(FilterResponseEvent $event)
             $this->cookiePath,
             $this->cookieDomain,
             $this->cookieSecure,
-            false
+            false /* httpOnly */,
+            false /* raw */,
+            Cookie::SAMESITE_LAX
         ));
     }
 }
diff --git a/appveyor.yml b/appveyor.yml
@@ -10,7 +10,7 @@ init:
 
 install:
   - ps: Set-Service wuauserv -StartupType Manual
-  - cinst -y php
+  - cinst -y php --version 7.2.17
   - cd c:\tools\php72
   - copy php.ini-production php.ini /Y
   - echo date.timezone="UTC" >> php.ini

diff --git a/spec/Dunglas/AngularCsrfBundle/DependencyInjection/DunglasAngularCsrfExtensionSpec.php b/spec/Dunglas/AngularCsrfBundle/DependencyInjection/DunglasAngularCsrfExtensionSpec.php
@@ -60,6 +60,11 @@ public function it_loads(ContainerBuilder $container, ParameterBagInterface $par
             $container->addResource(Argument::type('Symfony\Component\Config\Resource\FileResource'))->shouldBeCalled();
         }
 
+        if (method_exists('Symfony\Component\DependencyInjection\ContainerBuilder', 'addRemovedBindingIds')) {
+            // Added in Symfony v4.2.6 and v3.4.25
+            $container->addRemovedBindingIds(Argument::type('string'))->willReturn(null);
+        }
+
         $container->getParameterBag()->willReturn($parameterBag)->shouldBeCalled();
         $container->hasExtension('http://symfony.com/schema/dic/services')->willReturn(false)->shouldBeCalled();
         $container->setParameter('dunglas_angular_csrf.token.id', $configs['dunglas_angular_csrf']['token']['id'])->shouldBeCalled();

diff --git a/spec/Dunglas/AngularCsrfBundle/EventListener/AngularCsrfCookieListenerSpec.php b/spec/Dunglas/AngularCsrfBundle/EventListener/AngularCsrfCookieListenerSpec.php
@@ -79,7 +79,10 @@ public function it_sets_cookie_when_it_does(
         Response $response,
         ResponseHeaderBag $headers
     ) {
-        $headers->setCookie(Argument::type('Symfony\Component\HttpFoundation\Cookie'));
+        $headers->setCookie(Argument::allOf(
+            Argument::type('Symfony\Component\HttpFoundation\Cookie'),
+            Argument::which('getSameSite', 'lax')
+        ))->shouldBeCalled();
         $response->headers = $headers;
 
         $event->getRequestType()->willReturn(HttpKernelInterface::MASTER_REQUEST)->shouldBeCalled();