<?php
/**
* CSRF Token protection event subscriber
*
* PHP version 7.4
*
* @category App
* @package App\Subscriber
* @author Momcilo Radotic <m.radotic@outlook.com>
* @copyright 2021 MoravaPro
* @license MoravaPro
*/
namespace App\Subscriber;
use Psr\Log\LoggerInterface;
use Symfony\Component\EventDispatcher\EventSubscriberInterface;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpKernel\Event\RequestEvent;
use Symfony\Component\HttpKernel\KernelEvents;
use Symfony\Component\Security\Core\Exception\AccessDeniedException;
use Symfony\Component\Security\Csrf\CsrfToken;
use Symfony\Component\Security\Csrf\CsrfTokenManagerInterface;
use Symfony\Component\Security\Csrf\TokenStorage\TokenStorageInterface;
/**
* CSRF Token protection event subscriber
*
* @category App
* @package App\Subscriber
*/
class CSTFTokenSubscriber implements EventSubscriberInterface
{
/**
* @var LoggerInterface
*/
private LoggerInterface $logger;
/**
* @var TokenStorageInterface
*/
private TokenStorageInterface $tokenStorage;
/**
* @var CsrfTokenManagerInterface
*/
private CsrfTokenManagerInterface $csrfTokenManager;
/**
* CSTFTokenSubscriber constructor.
*
* @param LoggerInterface $logger
* @param TokenStorageInterface $tokenStorage
* @param CsrfTokenManagerInterface $csrfTokenManager
*/
public function __construct(
LoggerInterface $logger, TokenStorageInterface $tokenStorage,
CsrfTokenManagerInterface $csrfTokenManager
) {
$this->logger = $logger;
$this->tokenStorage = $tokenStorage;
$this->csrfTokenManager = $csrfTokenManager;
}
/**
* {@inheritDoc}
*/
public static function getSubscribedEvents() : array
{
return [
KernelEvents::REQUEST => [
[
'onRequest',
10
]
]
];
}
/**
* Request event class which checks CSRF Token header
*
* @param RequestEvent $event
*/
public function onRequest(RequestEvent $event) : void
{
if (!$event->isMasterRequest()) {
return;
}
if (
$event->getRequest()->getMethod() == Request::METHOD_POST
&& (
preg_match('/^\/api/', $event->getRequest()->getRequestUri())
&& $event->getRequest()->attributes->get('_route') !== 'user_api_login'
)
) {
$registration_routes = ['registration_register', 'registration_check_email', 'registration_check_phone'];
$tokenId = in_array($event->getRequest()->attributes->get('_route'), $registration_routes) ? 'registration-api-token' : 'application-api-token';
//echo $tokenId; echo $event->getRequest()->headers->get('X-CSRF-TOKEN');
$csrfToken = $event->getRequest()->headers->get('X-CSRF-TOKEN');
/*if (
!$csrfToken
|| !$this->tokenStorage->getToken($tokenId)
) {
throw new AccessDeniedException('Mandatory CSRF Token missing');
}
$storedToken = $this->tokenStorage->getToken($tokenId);
if (
!$storedToken
|| $storedToken != $csrfToken
|| !$this->csrfTokenManager->isTokenValid(new CsrfToken($tokenId, $csrfToken))
) {
throw new AccessDeniedException('Invalid CSRF Token');
}*/
}
}
}