1<?php 2/** 3 * webtrees: online genealogy 4 * Copyright (C) 2019 webtrees development team 5 * This program is free software: you can redistribute it and/or modify 6 * it under the terms of the GNU General Public License as published by 7 * the Free Software Foundation, either version 3 of the License, or 8 * (at your option) any later version. 9 * This program is distributed in the hope that it will be useful, 10 * but WITHOUT ANY WARRANTY; without even the implied warranty of 11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 12 * GNU General Public License for more details. 13 * You should have received a copy of the GNU General Public License 14 * along with this program. If not, see <http://www.gnu.org/licenses/>. 15 */ 16declare(strict_types=1); 17 18namespace Fisharebest\Webtrees\Http\Middleware; 19 20use Closure; 21use Fisharebest\Webtrees\FlashMessages; 22use Fisharebest\Webtrees\I18N; 23use Fisharebest\Webtrees\Session; 24use Symfony\Component\HttpFoundation\RedirectResponse; 25use Symfony\Component\HttpFoundation\Request; 26use Symfony\Component\HttpFoundation\Response; 27use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException; 28 29/** 30 * Middleware to wrap a request in a transaction. 31 */ 32class CheckCsrf implements MiddlewareInterface 33{ 34 /** 35 * @param Request $request 36 * @param Closure $next 37 * 38 * @return Response 39 * @throws AccessDeniedHttpException 40 */ 41 public function handle(Request $request, Closure $next): Response 42 { 43 $client_token = $request->get('csrf', $request->headers->get('X_CSRF_TOKEN')); 44 $session_token = Session::get('CSRF_TOKEN'); 45 46 if ($client_token !== $session_token) { 47 FlashMessages::addMessage(I18N::translate('This form has expired. Try again.')); 48 49 return new RedirectResponse($request->getRequestUri()); 50 } 51 52 return $next($request); 53 } 54} 55