/** * {@inheritdoc} */ public function authenticate(RequestInterface $request) { if (!drupal_session_started() && !$this->isCli($request)) { return NULL; } global $user; $account = user_load($user->uid); if (!$request::isWriteMethod($request->getMethod()) || $request->getApplicationData('rest_call')) { // Request is done via API not CURL, or not a write operation, so we don't // need to check for a CSRF token. return $account; } if (!RestfulManager::isRestfulPath($request)) { return $account; } if (!$request->getCsrfToken()) { throw new BadRequestException('No CSRF token passed in the HTTP header.'); } if (!drupal_valid_token($request->getCsrfToken(), Authentication::TOKEN_VALUE)) { throw new ForbiddenException('CSRF token validation failed.'); } // CSRF validation passed. return $account; }
/** * {@inheritdoc} */ public function getAccount(RequestInterface $request, $cache = TRUE) { global $user; // Return the previously resolved user, if any. if (!empty($this->account)) { return $this->account; } // Resolve the user based on the providers in the manager. $account = NULL; foreach ($this->plugins as $provider) { /* @var \Drupal\restful\Plugin\authentication\AuthenticationInterface $provider */ if ($provider->applies($request) && ($account = $provider->authenticate($request))) { // The account has been loaded, we can stop looking. break; } } if (!$account) { if (RestfulManager::isRestfulPath($request) && $this->plugins->count() && !$this->getIsOptional()) { // Allow caching pages for anonymous users. drupal_page_is_cacheable(variable_get('restful_page_cache', FALSE)); // User didn't authenticate against any provider, so we throw an error. throw new UnauthorizedException('Bad credentials. Anonymous user resolved for a resource that requires authentication.'); } // If the account could not be authenticated default to the global user. // Most of the cases the cookie provider will do this for us. $account = drupal_anonymous_user(); if (!$request->isViaRouter()) { // If we are using the API from within Drupal and we have not tried to // authenticate using the 'cookie' provider, then we expect to be logged // in using the cookie authentication as a last resort. $account = $user->uid ? user_load($user->uid) : $account; } } if ($cache) { $this->setAccount($account); } // Disable page caching for security reasons so that an authenticated user // response never gets into the page cache for anonymous users. // This is necessary because the page cache system only looks at session // cookies, but not at HTTP Basic Auth headers. drupal_page_is_cacheable(!$account->uid && variable_get('restful_page_cache', FALSE)); // Record the access time of this request. $this->setAccessTime($account); return $account; }