/**
* @param Annotation $annotation
* @throws \RuntimeException
* @return bool
*/
public function validate(Annotation $annotation)
{
$request = $this->requestStack->getCurrentRequest();
if ($request === null) {
throw new \RuntimeException('Can not validate CSRF token without Request object');
}
$token = $request->get($annotation->param);
$intention = $annotation->intention;
if ($this->csrfManager instanceof CsrfTokenManagerInterface) {
$tokenObject = new CsrfToken($intention, $token);
return $this->csrfManager->isTokenValid($tokenObject);
} else {
throw new \RuntimeException('Invalid CSRF token manager provided');
}
}
/**
* Checks the validity of the request's csrf token header.
*
* @param Request $request
*
* @return bool true/false if the token is valid/invalid, false if none was found in the request's headers.
*/
protected function checkCsrfToken(Request $request)
{
if (!$request->headers->has(self::CSRF_TOKEN_HEADER)) {
return false;
}
return $this->csrfTokenManager->isTokenValid(new CsrfToken($this->csrfTokenIntention, $request->headers->get(self::CSRF_TOKEN_HEADER)));
}
public function let(CsrfTokenManagerInterface $tokenManager, CsrfToken $token)
{
$tokenManager->getToken(self::ID)->willReturn($token);
$tokenManager->refreshToken(self::ID)->willReturn($token);
$tokenManager->removeToken(self::ID)->willReturn(self::VALUE);
$tokenManager->isTokenValid(Argument::type('Symfony\\Component\\Security\\Csrf\\CsrfToken'))->willReturn(true);
$this->beConstructedWith($tokenManager, self::ID);
}
public function preSubmit(FormEvent $event)
{
$form = $event->getForm();
$data = $event->getData();
if ($form->isRoot() && $form->getConfig()->getOption('compound')) {
if (!isset($data[$this->fieldName]) || !$this->tokenManager->isTokenValid(new CsrfToken($this->tokenId, $data[$this->fieldName]))) {
$errorMessage = $this->errorMessage;
if (null !== $this->translator) {
$errorMessage = $this->translator->trans($errorMessage, array(), $this->translationDomain);
}
$form->addError(new FormError($errorMessage));
}
if (is_array($data)) {
unset($data[$this->fieldName]);
}
}
$event->setData($data);
}
public function preSubmit(FormEvent $event)
{
$form = $event->getForm();
$postRequestSizeExceeded = $form->getConfig()->getMethod() === 'POST' && $this->serverParams->hasPostMaxSizeBeenExceeded();
if ($form->isRoot() && $form->getConfig()->getOption('compound') && !$postRequestSizeExceeded) {
$data = $event->getData();
if (!isset($data[$this->fieldName]) || !$this->tokenManager->isTokenValid(new CsrfToken($this->tokenId, $data[$this->fieldName]))) {
$errorMessage = $this->errorMessage;
if (null !== $this->translator) {
$errorMessage = $this->translator->trans($errorMessage, array(), $this->translationDomain);
}
$form->addError(new FormError($errorMessage));
}
if (is_array($data)) {
unset($data[$this->fieldName]);
$event->setData($data);
}
}
}
/**
* Provide a BC wrapper for CSRF token manager/provider compatibility between versions.
*
* @param Request $request
*/
protected function validateCsrfToken(Request $request)
{
if (is_null($this->csrfTokenManager)) {
return;
}
$csrfToken = $this->getParameterFromRequest($request, $this->options['csrf_parameter']);
if ($this->csrfTokenManager instanceof CsrfTokenManagerInterface) {
if (false === $this->csrfTokenManager->isTokenValid(new CsrfToken($this->options['intention'], $csrfToken))) {
throw new InvalidCsrfTokenException('Invalid CSRF token.');
}
}
if ($this->csrfTokenManager instanceof CsrfProviderInterface) {
if (false === $this->csrfTokenManager->isCsrfTokenValid($this->options['intention'], $csrfToken)) {
throw new InvalidCsrfTokenException('Invalid CSRF token.');
}
}
}
/**
* Handles the request token.
*
* @throws AjaxRedirectResponseException|InvalidRequestTokenException If the token is invalid
*/
private function handleRequestToken()
{
// Deprecated since Contao 4.0, to be removed in Contao 5.0
if (!defined('REQUEST_TOKEN')) {
define('REQUEST_TOKEN', $this->tokenManager->getToken($this->csrfTokenName)->getValue());
}
if (null === $this->request || 'POST' !== $this->request->getRealMethod()) {
return;
}
$token = new CsrfToken($this->csrfTokenName, $this->request->request->get('REQUEST_TOKEN'));
if ($this->tokenManager->isTokenValid($token)) {
return;
}
if ($this->request->isXmlHttpRequest()) {
throw new AjaxRedirectResponseException($this->router->generate('contao_backend'));
}
throw new InvalidRequestTokenException('Invalid request token. Please reload the page and try again.');
}
/**
* {@inheritdoc}
*/
public function isCsrfTokenValid($intention, $token)
{
trigger_error('The ' . __METHOD__ . ' method is deprecated since version 2.4 and will be removed in version 3.0. Use the Symfony\\Component\\Security\\Csrf\\CsrfTokenManager class instead.', E_USER_DEPRECATED);
return $this->tokenManager->isTokenValid(new CsrfToken($intention, $token));
}
/**
* {@inheritdoc}
*/
public function isCsrfTokenValid($intention, $token)
{
return $this->tokenManager->isTokenValid(new CsrfToken($intention, $token));
}
/**
* @param string $intention
* @param string $token
* @return boolean
*/
public function isTokenValid($intention, $token)
{
$securityToken = new CsrfToken($intention, $token);
return $this->tokenManager->isTokenValid($securityToken);
}
/**
* Validate token for given id
* @param string $tokenId
* @param string $value
* @return boolean
*/
protected function isTokenValid($tokenId, $value)
{
return $this->manager->isTokenValid(new CsrfToken($tokenId, $value));
}
/**
* Tests if the given token value is valid.
*
* @param $value The CSRF token value to test
*
* @return bool
*
* @see CsrfTokenManagerInterface::isTokenValid()
*/
public function isTokenValid($value)
{
$csrfToken = new CsrfToken($this->tokenId, $value);
return $this->csrfTokenManager->isTokenValid($csrfToken);
}
