1ccb0284cSGreg Roach<?php 2ccb0284cSGreg Roach/** 3ccb0284cSGreg Roach * webtrees: online genealogy 48fcd0d32SGreg Roach * Copyright (C) 2019 webtrees development team 5ccb0284cSGreg Roach * This program is free software: you can redistribute it and/or modify 6ccb0284cSGreg Roach * it under the terms of the GNU General Public License as published by 7ccb0284cSGreg Roach * the Free Software Foundation, either version 3 of the License, or 8ccb0284cSGreg Roach * (at your option) any later version. 9ccb0284cSGreg Roach * This program is distributed in the hope that it will be useful, 10ccb0284cSGreg Roach * but WITHOUT ANY WARRANTY; without even the implied warranty of 11ccb0284cSGreg Roach * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 12ccb0284cSGreg Roach * GNU General Public License for more details. 13ccb0284cSGreg Roach * You should have received a copy of the GNU General Public License 14ccb0284cSGreg Roach * along with this program. If not, see <http://www.gnu.org/licenses/>. 15ccb0284cSGreg Roach */ 16ccb0284cSGreg Roachdeclare(strict_types=1); 17ccb0284cSGreg Roach 18ccb0284cSGreg Roachnamespace Fisharebest\Webtrees\Http\Middleware; 19ccb0284cSGreg Roach 20ccb0284cSGreg Roachuse Closure; 21094bd4e5SGreg Roachuse Fisharebest\Webtrees\FlashMessages; 22ccb0284cSGreg Roachuse Fisharebest\Webtrees\I18N; 23ccb0284cSGreg Roachuse Fisharebest\Webtrees\Session; 24094bd4e5SGreg Roachuse Symfony\Component\HttpFoundation\RedirectResponse; 25ccb0284cSGreg Roachuse Symfony\Component\HttpFoundation\Request; 26ccb0284cSGreg Roachuse Symfony\Component\HttpFoundation\Response; 27ccb0284cSGreg Roachuse Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException; 28*ba8e6c18SGreg Roachuse function in_array; 29ccb0284cSGreg Roach 30ccb0284cSGreg Roach/** 31ccb0284cSGreg Roach * Middleware to wrap a request in a transaction. 32ccb0284cSGreg Roach */ 33c1010edaSGreg Roachclass CheckCsrf implements MiddlewareInterface 34c1010edaSGreg Roach{ 35*ba8e6c18SGreg Roach private const EXCLUDE_ROUTES = [ 36*ba8e6c18SGreg Roach 'language', 37*ba8e6c18SGreg Roach 'theme', 38*ba8e6c18SGreg Roach ]; 39*ba8e6c18SGreg Roach 40ccb0284cSGreg Roach /** 41ccb0284cSGreg Roach * @param Request $request 42ccb0284cSGreg Roach * @param Closure $next 43ccb0284cSGreg Roach * 44ccb0284cSGreg Roach * @return Response 45ccb0284cSGreg Roach * @throws AccessDeniedHttpException 46ccb0284cSGreg Roach */ 47c1010edaSGreg Roach public function handle(Request $request, Closure $next): Response 48c1010edaSGreg Roach { 49*ba8e6c18SGreg Roach $route = $request->get('route'); 50*ba8e6c18SGreg Roach 5159272eafSGreg Roach $client_token = $request->get('csrf', $request->headers->get('X_CSRF_TOKEN')); 52ccb0284cSGreg Roach $session_token = Session::get('CSRF_TOKEN'); 53ccb0284cSGreg Roach 54*ba8e6c18SGreg Roach if ($client_token !== $session_token && !in_array($route, self::EXCLUDE_ROUTES, true)) { 55094bd4e5SGreg Roach FlashMessages::addMessage(I18N::translate('This form has expired. Try again.')); 56094bd4e5SGreg Roach 57094bd4e5SGreg Roach return new RedirectResponse($request->getRequestUri()); 58ccb0284cSGreg Roach } 59ccb0284cSGreg Roach 60ccb0284cSGreg Roach return $next($request); 61ccb0284cSGreg Roach } 62ccb0284cSGreg Roach} 63