/**
* Adds a CSRF token as argument in the URI builder
*
* @FLOW3\Before("setting(TYPO3.FLOW3.security.enable) && method(TYPO3\FLOW3\Mvc\Routing\UriBuilder->build())")
* @param \TYPO3\FLOW3\Aop\JoinPointInterface $joinPoint The current join point
* @return void
*/
public function addCsrfTokenToUri(\TYPO3\FLOW3\Aop\JoinPointInterface $joinPoint)
{
$uriBuilder = $joinPoint->getProxy();
$arguments = $joinPoint->getMethodArgument('arguments');
$packageKey = isset($arguments['@package']) ? $arguments['@package'] : '';
$subpackageKey = isset($arguments['@subpackage']) ? $arguments['@subpackage'] : '';
$controllerName = isset($arguments['@controller']) ? $arguments['@controller'] : 'Standard';
$actionName = (isset($arguments['@action']) ? $arguments['@action'] : 'index') . 'Action';
$possibleObjectName = '@package\\@subpackage\\Controller\\@controllerController';
$possibleObjectName = str_replace('@package', str_replace('.', '\\', $packageKey), $possibleObjectName);
$possibleObjectName = str_replace('@subpackage', $subpackageKey, $possibleObjectName);
$possibleObjectName = str_replace('@controller', $controllerName, $possibleObjectName);
$possibleObjectName = str_replace('\\\\', '\\', $possibleObjectName);
$lowercaseObjectName = strtolower($possibleObjectName);
$className = $this->objectManager->getClassNameByObjectName($this->objectManager->getCaseSensitiveObjectName($lowercaseObjectName));
if ($this->policyService->hasPolicyEntryForMethod($className, $actionName) && !$this->reflectionService->isMethodAnnotatedWith($className, $actionName, 'TYPO3\\FLOW3\\Annotations\\SkipCsrfProtection')) {
$internalArguments = $uriBuilder->getArguments();
$internalArguments['__csrfToken'] = $this->securityContext->getCsrfProtectionToken();
$uriBuilder->setArguments($internalArguments);
}
}
/**
* Matches a \TYPO3\FLOW3\Mvc\RequestInterface against the configured CSRF pattern rules and searches for invalid
* csrf tokens.
*
* @param \TYPO3\FLOW3\Mvc\RequestInterface $request The request that should be matched
* @return boolean TRUE if the pattern matched, FALSE otherwise
* @throws \TYPO3\FLOW3\Security\Exception\AuthenticationRequiredException
*/
public function matchRequest(\TYPO3\FLOW3\Mvc\RequestInterface $request)
{
if ($this->authenticationManager->isAuthenticated() === FALSE) {
return FALSE;
}
$controllerClassName = $this->objectManager->getClassNameByObjectName($request->getControllerObjectName());
$actionName = $request->getControllerActionName() . 'Action';
if ($this->policyService->hasPolicyEntryForMethod($controllerClassName, $actionName) && !$this->reflectionService->isMethodTaggedWith($controllerClassName, $actionName, 'skipcsrfprotection')) {
$internalArguments = $request->getInternalArguments();
if (!isset($internalArguments['__csrfToken'])) {
return TRUE;
}
$csrfToken = $internalArguments['__csrfToken'];
if (!$this->securityContext->hasCsrfProtectionTokens()) {
throw new \TYPO3\FLOW3\Security\Exception\AuthenticationRequiredException('No tokens in security context, possible session timeout', 1317309673);
}
if ($this->securityContext->isCsrfProtectionTokenValid($csrfToken) === FALSE) {
return TRUE;
}
}
return FALSE;
}