FilesExpand file tree

 develop

/

CsrfGuard.php

Copy path

Blame

More file actions

Blame

More file actions

Latest commit

 

History

History

History

100 lines (89 loc) · 2.67 KB

 develop

/

CsrfGuard.php

Top

File metadata and controls

• Code
• Blame

100 lines (89 loc) · 2.67 KB

Raw

Copy raw file

Download raw file

Open symbols panel

Edit and raw actions

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

<?php

/**

* CSRF Guard

*

* Use this middleware with your Slim Framework application

* to protect you from CSRF attacks.

*

* USAGE

*

* $app = new \Slim\Slim();

* $app->add(new \Slim\Extras\Middleware\CsrfGuard());

*

*/

namespace Slim\Extras\Middleware;

class CsrfGuard extends \Slim\Middleware

{

/**

* CSRF token key name.

*

* @var string

*/

protected $key;

/**

* CSRF token header name.

*

* @var string

*/

protected $header;

/**

* Constructor.

*

* @param string $key The CSRF token key name.

* @param string $header The CSRF token header name.

* @return void

*/

public function __construct($key = 'csrf_token', $header = 'X-CSRFToken')

{

if (! is_string($key) || empty($key) || preg_match('/[^a-zA-Z0-9\-\_]/', $key)) {

throw new \OutOfBoundsException('Invalid CSRF token key "' . $key . '"');

}

if (! is_string($header) || empty($header) || preg_match('/[^a-zA-Z0-9\-\_]/', $header)) {

throw new \OutOfBoundsException('Invalid CSRF token header "' . $header . '"');

}

$this->key = $key;

$this->header = $header;

}

/**

* Call middleware.

*

* @return void

*/

public function call()

{

// Attach as hook.

$this->app->hook('slim.before', array($this, 'check'));

// Call next middleware.

$this->next->call();

}

/**

* Check CSRF token is valid.

* Note: Also checks POST data to see if a Moneris RVAR CSRF token exists.

*

* @return void

*/

public function check() {

// Check sessions are enabled.

if (session_id() === '') {

throw new \Exception('Sessions are required to use the CSRF Guard middleware.');

}

if (! isset($_SESSION[$this->key])) {

$_SESSION[$this->key] = sha1(serialize($_SERVER) . rand(0, 0xffffffff));

}

$token = $_SESSION[$this->key];

// Validate the CSRF token.

if (in_array($this->app->request()->getMethod(), array('POST', 'PUT', 'DELETE'))) {

$normalized_header = str_replace('-', '_', strtoupper($this->header));

$userToken = $this->app->request()->post($this->key) ?: $this->app->environment()[$normalized_header];

if ($token !== $userToken) {

$this->app->halt(400, 'Invalid or missing CSRF token.');

}

}

// Assign CSRF token key and value to view.

$this->app->view()->appendData(array(

'csrf_key' => $this->key,

'csrf_token' => $token,

'csrf_header' => $this->header

));

}

}