/** * Handle an incoming request. * * @param Request $request * @param \Closure $next * @return Response * @throws InvalidCsrfTokenException */ public function handle(Request $request, Closure $next) : Response { $cookieData = $request->cookie('csrfToken'); if ($cookieData) { $this->_token = $cookieData; } $createCookie = false; if ($request->method() == 'GET' and $cookieData === null) { $this->_token = hash('sha1', Text::uuid()); $createCookie = true; } if (in_array($request->method(), ['PATCH', 'PUT', 'POST', 'DELETE'])) { $post = $request->data['_csrfToken']; $header = $request->header('X-CSRF-Token'); if (empty($cookieData)) { throw new InvalidCsrfTokenException('Missing CSRF token cookie'); } if ($post !== $cookieData and $header !== $cookieData) { throw new InvalidCsrfTokenException('CSRF token mismatch'); } } $response = $next($request); if ($createCookie) { $response->cookie('csrfToken', $this->_token); } return $response; }