/**
* {@inheritdoc}
*/
public function renderCsrfToken($tokenId)
{
if (null === $this->csrfTokenManager) {
throw new BadMethodCallException('CSRF tokens can only be generated if a CsrfTokenManagerInterface is injected in FormRenderer::__construct().');
}
return $this->csrfTokenManager->getToken($tokenId)->getValue();
}
/**
* Adds the referer ID to the request.
*
* @param GetResponseEvent $event
*/
public function onKernelRequest(GetResponseEvent $event)
{
if (!$this->isBackendMasterRequest($event)) {
return;
}
$request = $event->getRequest();
/** @var CsrfToken $token */
$token = $this->tokenManager->refreshToken('contao_referer_id');
$request->attributes->set('_contao_referer_id', $token->getValue());
}
public function getConfig()
{
$sessionInfo = ['isStarted' => false];
if ($this->session->isStarted()) {
$sessionInfo['isStarted'] = true;
$sessionInfo['name'] = $this->session->getName();
$sessionInfo['identifier'] = $this->session->getId();
$sessionInfo['csrfToken'] = $this->csrfTokenManager->getToken($this->csrfTokenIntention)->getValue();
$sessionInfo['href'] = $this->generateUrl('ezpublish_rest_deleteSession', ['sessionId' => $this->session->getId()]);
}
return $sessionInfo;
}
/**
* @param Annotation $annotation
* @throws \RuntimeException
* @return bool
*/
public function validate(Annotation $annotation)
{
$request = $this->requestStack->getCurrentRequest();
if ($request === null) {
throw new \RuntimeException('Can not validate CSRF token without Request object');
}
$token = $request->get($annotation->param);
$intention = $annotation->intention;
if ($this->csrfManager instanceof CsrfTokenManagerInterface) {
$tokenObject = new CsrfToken($intention, $token);
return $this->csrfManager->isTokenValid($tokenObject);
} else {
throw new \RuntimeException('Invalid CSRF token manager provided');
}
}
/**
* onKernelResponse
*
* @param FilterResponseEvent $event
*/
public function onKernelResponse(FilterResponseEvent $event)
{
if (HttpKernelInterface::MASTER_REQUEST !== $event->getRequestType()) {
return;
}
$event->getResponse()->headers->setCookie(new Cookie($this->cookieName, $this->csrfTokenManager->getToken('rest_csrf')->getValue(), $this->cookieExpire, $this->cookiePath, $this->cookieDomain, $this->cookieSecure, false));
}
/**
* Checks the validity of the request's csrf token header.
*
* @param Request $request
*
* @return bool true/false if the token is valid/invalid, false if none was found in the request's headers.
*/
protected function checkCsrfToken(Request $request)
{
if (!$request->headers->has(self::CSRF_TOKEN_HEADER)) {
return false;
}
return $this->csrfTokenManager->isTokenValid(new CsrfToken($this->csrfTokenIntention, $request->headers->get(self::CSRF_TOKEN_HEADER)));
}
public function preSubmit(FormEvent $event)
{
$form = $event->getForm();
$data = $event->getData();
if ($form->isRoot() && $form->getConfig()->getOption('compound')) {
if (!isset($data[$this->fieldName]) || !$this->tokenManager->isTokenValid(new CsrfToken($this->tokenId, $data[$this->fieldName]))) {
$errorMessage = $this->errorMessage;
if (null !== $this->translator) {
$errorMessage = $this->translator->trans($errorMessage, array(), $this->translationDomain);
}
$form->addError(new FormError($errorMessage));
}
if (is_array($data)) {
unset($data[$this->fieldName]);
}
}
$event->setData($data);
}
public function preSubmit(FormEvent $event)
{
$form = $event->getForm();
$postRequestSizeExceeded = $form->getConfig()->getMethod() === 'POST' && $this->serverParams->hasPostMaxSizeBeenExceeded();
if ($form->isRoot() && $form->getConfig()->getOption('compound') && !$postRequestSizeExceeded) {
$data = $event->getData();
if (!isset($data[$this->fieldName]) || !$this->tokenManager->isTokenValid(new CsrfToken($this->tokenId, $data[$this->fieldName]))) {
$errorMessage = $this->errorMessage;
if (null !== $this->translator) {
$errorMessage = $this->translator->trans($errorMessage, array(), $this->translationDomain);
}
$form->addError(new FormError($errorMessage));
}
if (is_array($data)) {
unset($data[$this->fieldName]);
$event->setData($data);
}
}
}
/**
* @param $name
* @return string
*/
public function getToken($name)
{
$intention = '';
$type = $this->formExtension->getType($name);
if ($type instanceof TypeInterface) {
$intention = $type->getDefaultIntention();
}
if (isset($defaults['intention'])) {
$intention = $defaults['intention'];
}
return $this->csrfTokenManager->refreshToken($intention);
}
/**
* @param string $formName
*
* @return array
* @throws FormlyMapperException
*/
public function map($formName = null)
{
$formlyConfiguration = [];
try {
$configuration = (array) $this->formFactory->getConfiguration($formName);
} catch (NonExistentFormException $e) {
throw new FormlyMapperException($e->getMessage());
}
if (!empty($configuration)) {
foreach ($configuration as $fieldName => $fieldConfiguration) {
$fieldConfiguration['name'] = $fieldName;
$formlyField = $this->formlyFieldFactory->getFormlyField($fieldConfiguration['type']);
$formlyField->setFieldConfiguration($fieldConfiguration);
$formlyConfiguration[] = $formlyField->getFormlyFieldConfiguration();
}
}
$formName = !empty($formName) ? $formName : 'form';
$token = $this->csrfTokenManager->refreshToken($formName);
$tokenFieldConfiguration = ['key' => '_token', 'type' => 'hidden', 'defaultValue' => $token->getValue()];
$formlyConfiguration[] = $tokenFieldConfiguration;
return $formlyConfiguration;
}
public function let(CsrfTokenManagerInterface $tokenManager, CsrfToken $token)
{
$tokenManager->getToken(self::ID)->willReturn($token);
$tokenManager->refreshToken(self::ID)->willReturn($token);
$tokenManager->removeToken(self::ID)->willReturn(self::VALUE);
$tokenManager->isTokenValid(Argument::type('Symfony\\Component\\Security\\Csrf\\CsrfToken'))->willReturn(true);
$this->beConstructedWith($tokenManager, self::ID);
}
/**
* Provide a BC wrapper for CSRF token manager/provider compatibility between versions.
*
* @param Request $request
*/
protected function validateCsrfToken(Request $request)
{
if (is_null($this->csrfTokenManager)) {
return;
}
$csrfToken = $this->getParameterFromRequest($request, $this->options['csrf_parameter']);
if ($this->csrfTokenManager instanceof CsrfTokenManagerInterface) {
if (false === $this->csrfTokenManager->isTokenValid(new CsrfToken($this->options['intention'], $csrfToken))) {
throw new InvalidCsrfTokenException('Invalid CSRF token.');
}
}
if ($this->csrfTokenManager instanceof CsrfProviderInterface) {
if (false === $this->csrfTokenManager->isCsrfTokenValid($this->options['intention'], $csrfToken)) {
throw new InvalidCsrfTokenException('Invalid CSRF token.');
}
}
}
/**
* Handles the request token.
*
* @throws AjaxRedirectResponseException|InvalidRequestTokenException If the token is invalid
*/
private function handleRequestToken()
{
// Deprecated since Contao 4.0, to be removed in Contao 5.0
if (!defined('REQUEST_TOKEN')) {
define('REQUEST_TOKEN', $this->tokenManager->getToken($this->csrfTokenName)->getValue());
}
if (null === $this->request || 'POST' !== $this->request->getRealMethod()) {
return;
}
$token = new CsrfToken($this->csrfTokenName, $this->request->request->get('REQUEST_TOKEN'));
if ($this->tokenManager->isTokenValid($token)) {
return;
}
if ($this->request->isXmlHttpRequest()) {
throw new AjaxRedirectResponseException($this->router->generate('contao_backend'));
}
throw new InvalidRequestTokenException('Invalid request token. Please reload the page and try again.');
}
/**
* {@inheritdoc}
*/
public function isCsrfTokenValid($intention, $token)
{
trigger_error('The ' . __METHOD__ . ' method is deprecated since version 2.4 and will be removed in version 3.0. Use the Symfony\\Component\\Security\\Csrf\\CsrfTokenManager class instead.', E_USER_DEPRECATED);
return $this->tokenManager->isTokenValid(new CsrfToken($intention, $token));
}
/**
* Tests if the given token value is valid.
*
* @param $value The CSRF token value to test
*
* @return bool
*
* @see CsrfTokenManagerInterface::isTokenValid()
*/
public function isTokenValid($value)
{
$csrfToken = new CsrfToken($this->tokenId, $value);
return $this->csrfTokenManager->isTokenValid($csrfToken);
}
/**
* {@inheritdoc}
*/
public function isCsrfTokenValid($intention, $token)
{
return $this->tokenManager->isTokenValid(new CsrfToken($intention, $token));
}
/**
* Validate token for given id
* @param string $tokenId
* @param string $value
* @return boolean
*/
protected function isTokenValid($tokenId, $value)
{
return $this->manager->isTokenValid(new CsrfToken($tokenId, $value));
}
public function getCsrfToken($intention)
{
return $this->csrfTokenManager->getToken($intention);
}
/**
* @param string $intention
* @param string $token
* @return boolean
*/
public function isTokenValid($intention, $token)
{
$securityToken = new CsrfToken($intention, $token);
return $this->tokenManager->isTokenValid($securityToken);
}