xref: /webtrees/app/Http/Middleware/CheckCsrf.php (revision 3fa66c660869af2f4c92ef37e06997aa8a0f55e1)
1<?php
2/**
3 * webtrees: online genealogy
4 * Copyright (C) 2019 webtrees development team
5 * This program is free software: you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License as published by
7 * the Free Software Foundation, either version 3 of the License, or
8 * (at your option) any later version.
9 * This program is distributed in the hope that it will be useful,
10 * but WITHOUT ANY WARRANTY; without even the implied warranty of
11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 * GNU General Public License for more details.
13 * You should have received a copy of the GNU General Public License
14 * along with this program. If not, see <http://www.gnu.org/licenses/>.
15 */
16declare(strict_types=1);
17
18namespace Fisharebest\Webtrees\Http\Middleware;
19
20use Closure;
21use Fisharebest\Webtrees\I18N;
22use Fisharebest\Webtrees\Session;
23use Symfony\Component\HttpFoundation\Request;
24use Symfony\Component\HttpFoundation\Response;
25use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
26
27/**
28 * Middleware to wrap a request in a transaction.
29 */
30class CheckCsrf implements MiddlewareInterface
31{
32    /**
33     * @param Request $request
34     * @param Closure $next
35     *
36     * @return Response
37     * @throws AccessDeniedHttpException
38     */
39    public function handle(Request $request, Closure $next): Response
40    {
41        $client_token  = $request->get('csrf', $request->headers->get('X_CSRF_TOKEN'));
42        $session_token = Session::get('CSRF_TOKEN');
43
44        if ($client_token !== $session_token) {
45            throw new AccessDeniedHttpException(I18N::translate('This form has expired. Try again.'));
46        }
47
48        return $next($request);
49    }
50}
51