From e300edce499b059b2c963375dd0126ebdc8a2f7a Mon Sep 17 00:00:00 2001
From: Demian Katz <demian.katz@villanova.edu>
Date: Mon, 16 Dec 2024 11:07:56 -0500
Subject: [PATCH] [VUFIND-1713] Refactor custom CSRF logic for compatibility
 with future laminas-validator releases (#4161)

---
 composer.json                                 |  2 +-
 composer.lock                                 | 16 ++---
 .../src/VuFind/Validator/SessionCsrf.php      | 71 +++++++++++++++++--
 3 files changed, 75 insertions(+), 14 deletions(-)

diff --git a/composer.json b/composer.json
index 0b6e7f76ba0..661d0658b75 100644
--- a/composer.json
+++ b/composer.json
@@ -84,7 +84,7 @@
         "laminas/laminas-session": "2.21.0",
         "laminas/laminas-stdlib": "3.19.0",
         "laminas/laminas-text": "2.11.0",
-        "laminas/laminas-validator": "2.55.0",
+        "laminas/laminas-validator": "2.64.2",
         "laminas/laminas-view": "2.27.0",
         "league/commonmark": "2.6.0",
         "league/oauth2-client": "^2.7",
diff --git a/composer.lock b/composer.lock
index 0ab9a487467..9925c0abf7d 100644
--- a/composer.lock
+++ b/composer.lock
@@ -4,7 +4,7 @@
         "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies",
         "This file is @generated automatically"
     ],
-    "content-hash": "1a11b1b8757fba47cad77f6aeffb4bfa",
+    "content-hash": "707506f308fdbe34c207f2313bd5addf",
     "packages": [
         {
             "name": "ahand/mobileesp",
@@ -4397,22 +4397,22 @@
         },
         {
             "name": "laminas/laminas-validator",
-            "version": "2.55.0",
+            "version": "2.64.2",
             "source": {
                 "type": "git",
                 "url": "https://github.com/laminas/laminas-validator.git",
-                "reference": "dc3f2609d41b1e21bc24e3e147d7dd284e8a1556"
+                "reference": "771e504760448ac7af660710237ceb93be602e08"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/laminas/laminas-validator/zipball/dc3f2609d41b1e21bc24e3e147d7dd284e8a1556",
-                "reference": "dc3f2609d41b1e21bc24e3e147d7dd284e8a1556",
+                "url": "https://api.github.com/repos/laminas/laminas-validator/zipball/771e504760448ac7af660710237ceb93be602e08",
+                "reference": "771e504760448ac7af660710237ceb93be602e08",
                 "shasum": ""
             },
             "require": {
                 "laminas/laminas-servicemanager": "^3.21.0",
-                "laminas/laminas-stdlib": "^3.13",
-                "php": "~8.1.0 || ~8.2.0 || ~8.3.0",
+                "laminas/laminas-stdlib": "^3.19",
+                "php": "~8.1.0 || ~8.2.0 || ~8.3.0 || ~8.4.0",
                 "psr/http-message": "^1.0.1 || ^2.0.0"
             },
             "conflict": {
@@ -4477,7 +4477,7 @@
                     "type": "community_bridge"
                 }
             ],
-            "time": "2024-06-12T15:00:19+00:00"
+            "time": "2024-11-26T21:29:17+00:00"
         },
         {
             "name": "laminas/laminas-view",
diff --git a/module/VuFind/src/VuFind/Validator/SessionCsrf.php b/module/VuFind/src/VuFind/Validator/SessionCsrf.php
index 257e716a05e..32523e450b8 100644
--- a/module/VuFind/src/VuFind/Validator/SessionCsrf.php
+++ b/module/VuFind/src/VuFind/Validator/SessionCsrf.php
@@ -1,7 +1,7 @@
 <?php
 
 /**
- * Extension of Laminas\Validator\Csrf with token counting/clearing functions added.
+ * Decorator for Laminas CSRF validator to add token counting/clearing functions.
  *
  * PHP version 8
  *
@@ -29,11 +29,13 @@
 
 namespace VuFind\Validator;
 
+use Laminas\Session\Validator\Csrf;
+
 use function array_slice;
 use function count;
 
 /**
- * Extension of Laminas\Validator\Csrf with token counting/clearing functions added.
+ * Decorator for Laminas CSRF validator to add token counting/clearing functions.
  *
  * @category VuFind
  * @package  Solr
@@ -41,8 +43,25 @@
  * @license  http://opensource.org/licenses/gpl-2.0.php GNU General Public License
  * @link     https://vufind.org/wiki/development Wiki
  */
-class SessionCsrf extends \Laminas\Validator\Csrf implements CsrfInterface
+class SessionCsrf implements CsrfInterface
 {
+    /**
+     * Laminas CSRF class.
+     *
+     * @var Csrf
+     */
+    protected Csrf $csrf;
+
+    /**
+     * Constructor
+     *
+     * @param array $options Options to pass to CSRF validator
+     */
+    public function __construct(array $options = [])
+    {
+        $this->csrf = new Csrf($options);
+    }
+
     /**
      * Keep only the most recent N tokens.
      *
@@ -52,7 +71,7 @@ class SessionCsrf extends \Laminas\Validator\Csrf implements CsrfInterface
      */
     public function trimTokenList($limit)
     {
-        $session = $this->getSession();
+        $session = $this->csrf->getSession();
         if ($limit < 1) {
             // Reset the array if necessary:
             $session->tokenList = [];
@@ -70,6 +89,48 @@ public function trimTokenList($limit)
      */
     public function getTokenCount()
     {
-        return count($this->getSession()->tokenList ?? []);
+        return count($this->csrf->getSession()->tokenList ?? []);
+    }
+
+    /**
+     * Retrieve CSRF token
+     *
+     * If no CSRF token currently exists, or should be regenerated,
+     * generates one.
+     *
+     * @param bool $regenerate regenerate hash, default false
+     *
+     * @return string
+     */
+    public function getHash($regenerate = false)
+    {
+        return $this->csrf->getHash($regenerate);
+    }
+
+    /**
+     * Returns true if the CSRF token is valid.
+     *
+     * @param mixed $value Token to validate
+     *
+     * @return bool
+     */
+    public function isValid($value)
+    {
+        return $this->csrf->isValid($value);
+    }
+
+    /**
+     * Returns an array of messages that explain why the most recent isValid()
+     * call returned false. The array keys are validation failure message identifiers,
+     * and the array values are the corresponding human-readable message strings.
+     *
+     * If isValid() was never called or if the most recent isValid() call
+     * returned true, then this method returns an empty array.
+     *
+     * @return array<string, string>
+     */
+    public function getMessages()
+    {
+        return $this->csrf->getMessages();
     }
 }