xref: /webtrees/app/Http/Middleware/CheckCsrf.php (revision 310b7a5a19cf8cff7a1f909e219fcab37d8a8181)
1<?php
2/**
3 * webtrees: online genealogy
4 * Copyright (C) 2019 webtrees development team
5 * This program is free software: you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License as published by
7 * the Free Software Foundation, either version 3 of the License, or
8 * (at your option) any later version.
9 * This program is distributed in the hope that it will be useful,
10 * but WITHOUT ANY WARRANTY; without even the implied warranty of
11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 * GNU General Public License for more details.
13 * You should have received a copy of the GNU General Public License
14 * along with this program. If not, see <http://www.gnu.org/licenses/>.
15 */
16declare(strict_types=1);
17
18namespace Fisharebest\Webtrees\Http\Middleware;
19
20use Closure;
21use Fisharebest\Webtrees\FlashMessages;
22use Fisharebest\Webtrees\I18N;
23use Fisharebest\Webtrees\Session;
24use Symfony\Component\HttpFoundation\RedirectResponse;
25use Symfony\Component\HttpFoundation\Request;
26use Symfony\Component\HttpFoundation\Response;
27use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
28use function in_array;
29
30/**
31 * Middleware to wrap a request in a transaction.
32 */
33class CheckCsrf implements MiddlewareInterface
34{
35    private const EXCLUDE_ROUTES = [
36        'language',
37        'theme',
38    ];
39
40    /**
41     * @param Request $request
42     * @param Closure $next
43     *
44     * @return Response
45     * @throws AccessDeniedHttpException
46     */
47    public function handle(Request $request, Closure $next): Response
48    {
49        if ($request->getMethod() === Request::METHOD_POST) {
50            $route = $request->get('route');
51
52            if (!in_array($route, self::EXCLUDE_ROUTES, true)) {
53                $client_token  = $request->get('csrf', $request->headers->get('X_CSRF_TOKEN'));
54                $session_token = Session::get('CSRF_TOKEN');
55
56                if ($client_token !== $session_token) {
57                    FlashMessages::addMessage(I18N::translate('This form has expired. Try again.'));
58
59                    return new RedirectResponse($request->getRequestUri());
60                }
61            }
62        }
63
64        return $next($request);
65    }
66}
67