Files
simple-php-router/src/Pecee/Http/Middleware/BaseCsrfVerifier.php
T
Simon Sessingø 8370d3d94e Development
- Made easier to extend.
- Added IRoute class.
- Changed namespace for Route classes.
- Moved find-url related stuff to Route classes itself.
- Added more tests for finding urls.
- Added support for custom names on RouteController and RouteResource.
- Removed depricated methods.
- Updated documentation.
- Updated demo-project to reflect changes.
- Other small bugfixes and improvements.
2016-11-21 01:50:28 +01:00

95 lines
1.9 KiB
PHP

<?php
namespace Pecee\Http\Middleware;
use Pecee\CsrfToken;
use Pecee\Exceptions\TokenMismatchException;
use Pecee\Http\Request;
use Pecee\SimpleRouter\Route\ILoadableRoute;
class BaseCsrfVerifier implements IMiddleware
{
const POST_KEY = 'csrf-token';
const HEADER_KEY = 'X-CSRF-TOKEN';
protected $except;
protected $csrfToken;
protected $token;
public function __construct()
{
$this->csrfToken = new CsrfToken();
// Generate or get the CSRF-Token from Cookie.
$this->token = (!$this->hasToken()) ? $this->generateToken() : $this->csrfToken->getToken();
}
/**
* Check if the url matches the urls in the except property
* @param Request $request
* @return bool
*/
protected function skip(Request $request)
{
if ($this->except === null || is_array($this->except) === false) {
return false;
}
foreach ($this->except as $url) {
$url = rtrim($url, '/');
if ($url[strlen($url) - 1] === '*') {
$url = rtrim($url, '*');
$skip = (stripos($request->getUri(), $url) === 0);
} else {
$skip = ($url === rtrim($request->getUri(), '/'));
}
if ($skip) {
return true;
}
}
return false;
}
public function handle(Request $request, ILoadableRoute &$route = null)
{
if ($request->getMethod() !== 'get' && !$this->skip($request)) {
$token = $request->getInput()->post->get(static::POST_KEY);
// If the token is not posted, check headers for valid x-csrf-token
if ($token === null) {
$token = $request->getHeader(static::HEADER_KEY);
}
if (!$this->csrfToken->validate($token)) {
throw new TokenMismatchException('Invalid csrf-token.');
}
}
}
public function generateToken()
{
$token = $this->csrfToken->generateToken();
$this->csrfToken->setToken($token);
return $token;
}
public function hasToken()
{
if ($this->token != null) {
return true;
}
return $this->csrfToken->hasToken();
}
public function getToken()
{
return $this->token;
}
}