/**
* Handle an incoming request.
*
* @param Request $request
* @param \Closure $next
* @return Response
* @throws InvalidCsrfTokenException
*/
public function handle(Request $request, Closure $next) : Response
{
$cookieData = $request->cookie('csrfToken');
if ($cookieData) {
$this->_token = $cookieData;
}
$createCookie = false;
if ($request->method() == 'GET' and $cookieData === null) {
$this->_token = hash('sha1', Text::uuid());
$createCookie = true;
}
if (in_array($request->method(), ['PATCH', 'PUT', 'POST', 'DELETE'])) {
$post = $request->data['_csrfToken'];
$header = $request->header('X-CSRF-Token');
if (empty($cookieData)) {
throw new InvalidCsrfTokenException('Missing CSRF token cookie');
}
if ($post !== $cookieData and $header !== $cookieData) {
throw new InvalidCsrfTokenException('CSRF token mismatch');
}
}
$response = $next($request);
if ($createCookie) {
$response->cookie('csrfToken', $this->_token);
}
return $response;
}
