mirror of
https://github.com/skipperbent/simple-php-router.git
synced 2026-07-09 08:30:19 +00:00
a9c03f9271
- Updated `helpers.php` and helpers example in documentation. - MalformedUrlException is now handled properly by Router to avoid phpStorm syntax highlights in routes. - Added `getUrlCopy` to `Request` class, used to clone the current route (to keep domain etc.) - `setUrl` in `Request` are now strict and requires `Url` object and no longer accepts strings. - Renamed `hasRewrite` property to `hasPendingRewrite` in `Request` class. - Renamed `hasRewrite` and `setHasRewrite` methods to `hasPendingRewrite` and `setHasPendingRewrite` in `Request` class. - Added better usage of `Url` class. When calling `url` you can now use the methods on the `Url` class to filter params, get relative/absolute url etc. See documentation for more info. - Renamed `get` method to `getValue` in `InputHandler` class. - Renamed `getObject` to `get` and removed `$defaultValue` argument in `InputHandler` class. - Optimized `InputHandler` class. - Fixed issue with `$token` not being proper string in `BaseCsrfVerifier` when token is not found. - Added php.ini configuration settings to `setcookie` in `CookieTokenProvider` for improved security. - Added `$router` parameter to `boot` method in `IRouterBootManager` which allows for further manipulation of the router within the bootmanager. - Renamed `$processingRoute` property to `$isProcessingRoute` in `Router` class. - Fixed `reset` method not resetting CSRF-verifier in `Router` class. - Moved `arrayToParams` helper-method from `Router` to `Url` class. - Began to add Event-functionality to router. - Added `addEventHandler` method to `SimpleRouter` class. - Moved `Pecee\SimpleRouter\Handler\CallbackExceptionHandler` to `Pecee\SimpleRouter\Handlers\CallbackExceptionHandler`. - Moved `Pecee\SimpleRouter\Handler\IExceptionHandler` to `Pecee\SimpleRouter\Handlers\IExceptionHandler`. - Added Events section to documentation. - Added more information on url-handling in documentation. - Optimisations.
101 lines
2.5 KiB
PHP
101 lines
2.5 KiB
PHP
<?php
|
|
|
|
namespace Pecee\Http\Middleware;
|
|
|
|
use Pecee\Http\Middleware\Exceptions\TokenMismatchException;
|
|
use Pecee\Http\Request;
|
|
use Pecee\Http\Security\CookieTokenProvider;
|
|
use Pecee\Http\Security\ITokenProvider;
|
|
|
|
class BaseCsrfVerifier implements IMiddleware
|
|
{
|
|
public const POST_KEY = 'csrf-token';
|
|
public const HEADER_KEY = 'X-CSRF-TOKEN';
|
|
|
|
protected $except;
|
|
protected $tokenProvider;
|
|
|
|
/**
|
|
* BaseCsrfVerifier constructor.
|
|
* @throws \Pecee\Http\Security\Exceptions\SecurityException
|
|
*/
|
|
public function __construct()
|
|
{
|
|
$this->tokenProvider = new CookieTokenProvider();
|
|
}
|
|
|
|
/**
|
|
* Check if the url matches the urls in the except property
|
|
* @param Request $request
|
|
* @return bool
|
|
*/
|
|
protected function skip(Request $request): bool
|
|
{
|
|
if ($this->except === null || \count($this->except) === 0) {
|
|
return false;
|
|
}
|
|
|
|
$max = \count($this->except) - 1;
|
|
|
|
for ($i = $max; $i >= 0; $i--) {
|
|
$url = $this->except[$i];
|
|
|
|
$url = rtrim($url, '/');
|
|
if ($url[\strlen($url) - 1] === '*') {
|
|
$url = rtrim($url, '*');
|
|
$skip = $request->getUrl()->contains($url);
|
|
} else {
|
|
$skip = ($url === $request->getUrl()->getOriginalUrl());
|
|
}
|
|
|
|
if ($skip === true) {
|
|
return true;
|
|
}
|
|
}
|
|
|
|
return false;
|
|
}
|
|
|
|
/**
|
|
* Handle request
|
|
*
|
|
* @param Request $request
|
|
* @throws TokenMismatchException
|
|
*/
|
|
public function handle(Request $request): void
|
|
{
|
|
|
|
if ($this->skip($request) === false && \in_array($request->getMethod(), ['post', 'put', 'delete'], true) === true) {
|
|
|
|
$token = $request->getInputHandler()->getValue(
|
|
static::POST_KEY,
|
|
$request->getHeader(static::HEADER_KEY),
|
|
'post'
|
|
);
|
|
|
|
if ($this->tokenProvider->validate((string)$token) === false) {
|
|
throw new TokenMismatchException('Invalid CSRF-token.');
|
|
}
|
|
|
|
}
|
|
|
|
// Refresh existing token
|
|
$this->tokenProvider->refresh();
|
|
|
|
}
|
|
|
|
public function getTokenProvider(): ITokenProvider
|
|
{
|
|
return $this->tokenProvider;
|
|
}
|
|
|
|
/**
|
|
* Set token provider
|
|
* @param ITokenProvider $provider
|
|
*/
|
|
public function setTokenProvider(ITokenProvider $provider): void
|
|
{
|
|
$this->tokenProvider = $provider;
|
|
}
|
|
|
|
} |