xref: /webtrees/app/Http/Middleware/CheckCsrf.php (revision c1010eda29c0909ed4d5d463f32d32bfefdd4dfe)
1ccb0284cSGreg Roach<?php
2ccb0284cSGreg Roach/**
3ccb0284cSGreg Roach * webtrees: online genealogy
4ccb0284cSGreg Roach * Copyright (C) 2018 webtrees development team
5ccb0284cSGreg Roach * This program is free software: you can redistribute it and/or modify
6ccb0284cSGreg Roach * it under the terms of the GNU General Public License as published by
7ccb0284cSGreg Roach * the Free Software Foundation, either version 3 of the License, or
8ccb0284cSGreg Roach * (at your option) any later version.
9ccb0284cSGreg Roach * This program is distributed in the hope that it will be useful,
10ccb0284cSGreg Roach * but WITHOUT ANY WARRANTY; without even the implied warranty of
11ccb0284cSGreg Roach * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12ccb0284cSGreg Roach * GNU General Public License for more details.
13ccb0284cSGreg Roach * You should have received a copy of the GNU General Public License
14ccb0284cSGreg Roach * along with this program. If not, see <http://www.gnu.org/licenses/>.
15ccb0284cSGreg Roach */
16ccb0284cSGreg Roachdeclare(strict_types=1);
17ccb0284cSGreg Roach
18ccb0284cSGreg Roachnamespace Fisharebest\Webtrees\Http\Middleware;
19ccb0284cSGreg Roach
20ccb0284cSGreg Roachuse Closure;
21ccb0284cSGreg Roachuse Fisharebest\Webtrees\I18N;
22ccb0284cSGreg Roachuse Fisharebest\Webtrees\Session;
23ccb0284cSGreg Roachuse Symfony\Component\HttpFoundation\Request;
24ccb0284cSGreg Roachuse Symfony\Component\HttpFoundation\Response;
25ccb0284cSGreg Roachuse Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
26ccb0284cSGreg Roach
27ccb0284cSGreg Roach/**
28ccb0284cSGreg Roach * Middleware to wrap a request in a transaction.
29ccb0284cSGreg Roach */
30*c1010edaSGreg Roachclass CheckCsrf implements MiddlewareInterface
31*c1010edaSGreg Roach{
32ccb0284cSGreg Roach    /**
33ccb0284cSGreg Roach     * @param Request $request
34ccb0284cSGreg Roach     * @param Closure $next
35ccb0284cSGreg Roach     *
36ccb0284cSGreg Roach     * @return Response
37ccb0284cSGreg Roach     * @throws AccessDeniedHttpException
38ccb0284cSGreg Roach     */
39*c1010edaSGreg Roach    public function handle(Request $request, Closure $next): Response
40*c1010edaSGreg Roach    {
4159272eafSGreg Roach        $client_token  = $request->get('csrf', $request->headers->get('X_CSRF_TOKEN'));
42ccb0284cSGreg Roach        $session_token = Session::get('CSRF_TOKEN');
43ccb0284cSGreg Roach
44ccb0284cSGreg Roach        if ($client_token !== $session_token) {
45ccb0284cSGreg Roach            throw new AccessDeniedHttpException(I18N::translate('This form has expired. Try again.'));
46ccb0284cSGreg Roach        }
47ccb0284cSGreg Roach
48ccb0284cSGreg Roach        return $next($request);
49ccb0284cSGreg Roach    }
50ccb0284cSGreg Roach}
51