xref: /webtrees/app/Http/Middleware/CheckCsrf.php (revision 5206405d15dd895c306e1f66583e11d1691e57fa)
1<?php
2/**
3 * webtrees: online genealogy
4 * Copyright (C) 2019 webtrees development team
5 * This program is free software: you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License as published by
7 * the Free Software Foundation, either version 3 of the License, or
8 * (at your option) any later version.
9 * This program is distributed in the hope that it will be useful,
10 * but WITHOUT ANY WARRANTY; without even the implied warranty of
11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 * GNU General Public License for more details.
13 * You should have received a copy of the GNU General Public License
14 * along with this program. If not, see <http://www.gnu.org/licenses/>.
15 */
16declare(strict_types=1);
17
18namespace Fisharebest\Webtrees\Http\Middleware;
19
20use Closure;
21use Fisharebest\Webtrees\FlashMessages;
22use Fisharebest\Webtrees\I18N;
23use Fisharebest\Webtrees\Session;
24use Symfony\Component\HttpFoundation\RedirectResponse;
25use Symfony\Component\HttpFoundation\Request;
26use Symfony\Component\HttpFoundation\Response;
27use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
28
29/**
30 * Middleware to wrap a request in a transaction.
31 */
32class CheckCsrf implements MiddlewareInterface
33{
34    /**
35     * @param Request $request
36     * @param Closure $next
37     *
38     * @return Response
39     * @throws AccessDeniedHttpException
40     */
41    public function handle(Request $request, Closure $next): Response
42    {
43        $client_token  = $request->get('csrf', $request->headers->get('X_CSRF_TOKEN'));
44        $session_token = Session::get('CSRF_TOKEN');
45
46        if ($client_token !== $session_token) {
47            FlashMessages::addMessage(I18N::translate('This form has expired. Try again.'));
48
49            return new RedirectResponse($request->getRequestUri());
50        }
51
52        return $next($request);
53    }
54}
55