xref: /webtrees/app/Http/Middleware/CheckCsrf.php (revision 319149d67195b9a7eba14cc17d3c8064b4dea7e7)
1<?php
2/**
3 * webtrees: online genealogy
4 * Copyright (C) 2018 webtrees development team
5 * This program is free software: you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License as published by
7 * the Free Software Foundation, either version 3 of the License, or
8 * (at your option) any later version.
9 * This program is distributed in the hope that it will be useful,
10 * but WITHOUT ANY WARRANTY; without even the implied warranty of
11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 * GNU General Public License for more details.
13 * You should have received a copy of the GNU General Public License
14 * along with this program. If not, see <http://www.gnu.org/licenses/>.
15 */
16declare(strict_types=1);
17
18namespace Fisharebest\Webtrees\Http\Middleware;
19
20use Closure;
21use Fisharebest\Webtrees\I18N;
22use Fisharebest\Webtrees\Session;
23use Symfony\Component\HttpFoundation\Request;
24use Symfony\Component\HttpFoundation\Response;
25use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
26
27/**
28 * Middleware to wrap a request in a transaction.
29 */
30class CheckCsrf implements MiddlewareInterface {
31	/**
32	 * @param Request $request
33	 * @param Closure $next
34	 *
35	 * @return Response
36	 * @throws AccessDeniedHttpException
37	 */
38	public function handle(Request $request, Closure $next): Response {
39		$client_token  = $request->get('csrf', $request->headers->get('X_CSRF_TOKEN'));
40		$session_token = Session::get('CSRF_TOKEN');
41
42		if ($client_token !== $session_token) {
43			throw new AccessDeniedHttpException(I18N::translate('This form has expired. Try again.'));
44		}
45
46		return $next($request);
47	}
48}
49