xref: /webtrees/app/Http/Middleware/CheckCsrf.php (revision b46c87bda4b592cf9252f1db48552a820b1e3d97) 
1ccb0284cSGreg Roach<?php
23976b470SGreg Roach
3ccb0284cSGreg Roach/**
4ccb0284cSGreg Roach * webtrees: online genealogy
58fcd0d32SGreg Roach * Copyright (C) 2019 webtrees development team
6ccb0284cSGreg Roach * This program is free software: you can redistribute it and/or modify
7ccb0284cSGreg Roach * it under the terms of the GNU General Public License as published by
8ccb0284cSGreg Roach * the Free Software Foundation, either version 3 of the License, or
9ccb0284cSGreg Roach * (at your option) any later version.
10ccb0284cSGreg Roach * This program is distributed in the hope that it will be useful,
11ccb0284cSGreg Roach * but WITHOUT ANY WARRANTY; without even the implied warranty of
12ccb0284cSGreg Roach * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13ccb0284cSGreg Roach * GNU General Public License for more details.
14ccb0284cSGreg Roach * You should have received a copy of the GNU General Public License
15ccb0284cSGreg Roach * along with this program. If not, see <http://www.gnu.org/licenses/>.
16ccb0284cSGreg Roach */
17fcfa147eSGreg Roach
18ccb0284cSGreg Roachdeclare(strict_types=1);
19ccb0284cSGreg Roach
20ccb0284cSGreg Roachnamespace Fisharebest\Webtrees\Http\Middleware;
21ccb0284cSGreg Roach
226ccdf4f0SGreg Roachuse Fig\Http\Message\RequestMethodInterface;
23094bd4e5SGreg Roachuse Fisharebest\Webtrees\FlashMessages;
24ccb0284cSGreg Roachuse Fisharebest\Webtrees\I18N;
25ccb0284cSGreg Roachuse Fisharebest\Webtrees\Session;
266ccdf4f0SGreg Roachuse Psr\Http\Message\ResponseInterface;
276ccdf4f0SGreg Roachuse Psr\Http\Message\ServerRequestInterface;
286ccdf4f0SGreg Roachuse Psr\Http\Server\MiddlewareInterface;
296ccdf4f0SGreg Roachuse Psr\Http\Server\RequestHandlerInterface;
303976b470SGreg Roach
31ba8e6c18SGreg Roachuse function in_array;
32ccb0284cSGreg Roach
33ccb0284cSGreg Roach/**
34ccb0284cSGreg Roach * Middleware to wrap a request in a transaction.
35ccb0284cSGreg Roach */
36c1010edaSGreg Roachclass CheckCsrf implements MiddlewareInterface
37c1010edaSGreg Roach{
38ba8e6c18SGreg Roach    private const EXCLUDE_ROUTES = [
39ba8e6c18SGreg Roach        'language',
40ba8e6c18SGreg Roach        'theme',
41ba8e6c18SGreg Roach    ];
42ba8e6c18SGreg Roach
43ccb0284cSGreg Roach    /**
446ccdf4f0SGreg Roach     * @param ServerRequestInterface  $request
456ccdf4f0SGreg Roach     * @param RequestHandlerInterface $handler
46ccb0284cSGreg Roach     *
476ccdf4f0SGreg Roach     * @return ResponseInterface
48ccb0284cSGreg Roach     */
496ccdf4f0SGreg Roach    public function process(ServerRequestInterface $request, RequestHandlerInterface $handler): ResponseInterface
50c1010edaSGreg Roach    {
516ccdf4f0SGreg Roach        if ($request->getMethod() === RequestMethodInterface::METHOD_POST) {
52*b46c87bdSGreg Roach            $params = (array) $request->getParsedBody();
53*b46c87bdSGreg Roach
54*b46c87bdSGreg Roach            $route = $params['route'] ?? '';
55ba8e6c18SGreg Roach
56310b7a5aSGreg Roach            if (!in_array($route, self::EXCLUDE_ROUTES, true)) {
57*b46c87bdSGreg Roach                $client_token  = $params['csrf'] ?? $request->getHeaderLine('X-CSRF-TOKEN');
58ccb0284cSGreg Roach                $session_token = Session::get('CSRF_TOKEN');
59ccb0284cSGreg Roach
60310b7a5aSGreg Roach                if ($client_token !== $session_token) {
61094bd4e5SGreg Roach                    FlashMessages::addMessage(I18N::translate('This form has expired. Try again.'));
62094bd4e5SGreg Roach
63f567c3d8SGreg Roach                    return redirect((string) $request->getUri());
64ccb0284cSGreg Roach                }
651cfe16bdSGreg Roach
661cfe16bdSGreg Roach                unset($params['csrf']);
671cfe16bdSGreg Roach                $request = $request->withParsedBody($params);
68310b7a5aSGreg Roach            }
69310b7a5aSGreg Roach        }
70ccb0284cSGreg Roach
716ccdf4f0SGreg Roach        return $handler->handle($request);
72ccb0284cSGreg Roach    }
73ccb0284cSGreg Roach}
74