geckon01/simple-php-router
1
0
Fork 0
mirror of https://github.com/skipperbent/simple-php-router.git synced 2026-06-17 00:37:52 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
8b6a6864a7da1db078609e1f96ee69de39180a9e
simple-php-router/src/Pecee/Http/Middleware/BaseCsrfVerifier.php
T
Simon Sessingo a25be983b8 Development 
- Renamed Uri class to Url.
- Renamed setUri and getUri to setUrl and getUrl.
- Added custom Exceptions and ensured that router only throws HttpExceptions.
- Added isAjax method to Request class.
- Added better phpDocs.
- Other minor optimisations.
2018-02-26 23:21:26 +01:00

102 lines
2.5 KiB
PHP
Raw Blame History

<?php
namespace Pecee\Http\Middleware;
use Pecee\Http\Middleware\Exceptions\TokenMismatchException;
use Pecee\Http\Request;
use Pecee\Http\Security\CookieTokenProvider;
use Pecee\Http\Security\ITokenProvider;
class BaseCsrfVerifier implements IMiddleware
{
const POST_KEY = 'csrf-token';
const HEADER_KEY = 'X-CSRF-TOKEN';
protected $except;
protected $tokenProvider;
/**
* BaseCsrfVerifier constructor.
* @throws \Pecee\Http\Security\Exceptions\SecurityException
*/
public function __construct()
{
$this->tokenProvider = new CookieTokenProvider();
}
/**
* Check if the url matches the urls in the except property
* @param Request $request
* @return bool
*/
protected function skip(Request $request)
{
if ($this->except === null || count($this->except) === 0) {
return false;
}
$max = count($this->except) - 1;
for ($i = $max; $i >= 0; $i--) {
$url = $this->except[$i];
$url = rtrim($url, '/');
if ($url[strlen($url) - 1] === '*') {
$url = rtrim($url, '*');
$skip = (stripos($request->getUrl()->getOriginalUrl(), $url) === 0);
} else {
$skip = ($url === $request->getUrl()->getOriginalUrl());
}
if ($skip === true) {
return true;
}
}
return false;
}
/**
* Handle request
*
* @param Request $request
* @throws TokenMismatchException
*/
public function handle(Request $request)
{
if ($this->skip($request) === false && in_array($request->getMethod(), ['post', 'put', 'delete'], false) === true) {
$token = $request->getInput()->get(static::POST_KEY, null, 'post');
// If the token is not posted, check headers for valid x-csrf-token
if ($token === null) {
$token = $request->getHeader(static::HEADER_KEY);
}
if ($this->tokenProvider->validate($token) === false) {
throw new TokenMismatchException('Invalid CSRF-token.');
}
}
// Refresh existing token
$this->tokenProvider->refresh();
}
public function getTokenProvider()
{
return $this->tokenProvider;
}
/**
* Set token provider
* @param ITokenProvider $provider
*/
public function setTokenProvider(ITokenProvider $provider)
{
$this->tokenProvider = $provider;
}
}
Reference in New Issue View Git Blame Copy Permalink