mirror of
https://github.com/skipperbent/simple-php-router.git
synced 2026-07-10 21:42:17 +00:00
8370d3d94e
- Made easier to extend. - Added IRoute class. - Changed namespace for Route classes. - Moved find-url related stuff to Route classes itself. - Added more tests for finding urls. - Added support for custom names on RouteController and RouteResource. - Removed depricated methods. - Updated documentation. - Updated demo-project to reflect changes. - Other small bugfixes and improvements.
95 lines
1.9 KiB
PHP
95 lines
1.9 KiB
PHP
<?php
|
|
namespace Pecee\Http\Middleware;
|
|
|
|
use Pecee\CsrfToken;
|
|
use Pecee\Exceptions\TokenMismatchException;
|
|
use Pecee\Http\Request;
|
|
use Pecee\SimpleRouter\Route\ILoadableRoute;
|
|
|
|
class BaseCsrfVerifier implements IMiddleware
|
|
{
|
|
const POST_KEY = 'csrf-token';
|
|
const HEADER_KEY = 'X-CSRF-TOKEN';
|
|
|
|
protected $except;
|
|
protected $csrfToken;
|
|
protected $token;
|
|
|
|
public function __construct()
|
|
{
|
|
$this->csrfToken = new CsrfToken();
|
|
|
|
// Generate or get the CSRF-Token from Cookie.
|
|
$this->token = (!$this->hasToken()) ? $this->generateToken() : $this->csrfToken->getToken();
|
|
}
|
|
|
|
/**
|
|
* Check if the url matches the urls in the except property
|
|
* @param Request $request
|
|
* @return bool
|
|
*/
|
|
protected function skip(Request $request)
|
|
{
|
|
if ($this->except === null || is_array($this->except) === false) {
|
|
return false;
|
|
}
|
|
|
|
foreach ($this->except as $url) {
|
|
$url = rtrim($url, '/');
|
|
if ($url[strlen($url) - 1] === '*') {
|
|
$url = rtrim($url, '*');
|
|
$skip = (stripos($request->getUri(), $url) === 0);
|
|
} else {
|
|
$skip = ($url === rtrim($request->getUri(), '/'));
|
|
}
|
|
|
|
if ($skip) {
|
|
return true;
|
|
}
|
|
}
|
|
|
|
return false;
|
|
}
|
|
|
|
public function handle(Request $request, ILoadableRoute &$route = null)
|
|
{
|
|
|
|
if ($request->getMethod() !== 'get' && !$this->skip($request)) {
|
|
|
|
$token = $request->getInput()->post->get(static::POST_KEY);
|
|
|
|
// If the token is not posted, check headers for valid x-csrf-token
|
|
if ($token === null) {
|
|
$token = $request->getHeader(static::HEADER_KEY);
|
|
}
|
|
|
|
if (!$this->csrfToken->validate($token)) {
|
|
throw new TokenMismatchException('Invalid csrf-token.');
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
public function generateToken()
|
|
{
|
|
$token = $this->csrfToken->generateToken();
|
|
$this->csrfToken->setToken($token);
|
|
return $token;
|
|
}
|
|
|
|
public function hasToken()
|
|
{
|
|
if ($this->token != null) {
|
|
return true;
|
|
}
|
|
|
|
return $this->csrfToken->hasToken();
|
|
}
|
|
|
|
public function getToken()
|
|
{
|
|
return $this->token;
|
|
}
|
|
|
|
} |