. */ declare(strict_types=1); namespace Fisharebest\Webtrees\Http\Middleware; use Closure; use Fisharebest\Webtrees\FlashMessages; use Fisharebest\Webtrees\I18N; use Fisharebest\Webtrees\Session; use Symfony\Component\HttpFoundation\RedirectResponse; use Symfony\Component\HttpFoundation\Request; use Symfony\Component\HttpFoundation\Response; use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException; use function in_array; /** * Middleware to wrap a request in a transaction. */ class CheckCsrf implements MiddlewareInterface { private const EXCLUDE_ROUTES = [ 'language', 'theme', ]; /** * @param Request $request * @param Closure $next * * @return Response * @throws AccessDeniedHttpException */ public function handle(Request $request, Closure $next): Response { if ($request->getMethod() === Request::METHOD_POST) { $route = $request->get('route'); if (!in_array($route, self::EXCLUDE_ROUTES, true)) { $client_token = $request->get('csrf', $request->headers->get('X_CSRF_TOKEN')); $session_token = Session::get('CSRF_TOKEN'); if ($client_token !== $session_token) { FlashMessages::addMessage(I18N::translate('This form has expired. Try again.')); return new RedirectResponse($request->getRequestUri()); } } } return $next($request); } }