src/Subscriber/CSTFTokenSubscriber.php line 88

Open in your IDE?
  1. <?php
  3. /**
  4.  * CSRF Token protection event subscriber
  5.  *
  6.  * PHP version 7.4
  7.  *
  8.  * @category   App
  9.  * @package    App\Subscriber
  10.  * @author     Momcilo Radotic <m.radotic@outlook.com>
  11.  * @copyright  2021 MoravaPro
  12.  * @license    MoravaPro
  13.  */
  15. namespace App\Subscriber;
  18. use Psr\Log\LoggerInterface;
  19. use Symfony\Component\EventDispatcher\EventSubscriberInterface;
  20. use Symfony\Component\HttpFoundation\Request;
  21. use Symfony\Component\HttpKernel\Event\RequestEvent;
  22. use Symfony\Component\HttpKernel\KernelEvents;
  23. use Symfony\Component\Security\Core\Exception\AccessDeniedException;
  24. use Symfony\Component\Security\Csrf\CsrfToken;
  25. use Symfony\Component\Security\Csrf\CsrfTokenManagerInterface;
  26. use Symfony\Component\Security\Csrf\TokenStorage\TokenStorageInterface;
  28. /**
  29.  * CSRF Token protection event subscriber
  30.  *
  31.  * @category   App
  32.  * @package    App\Subscriber
  33.  */
  34. class CSTFTokenSubscriber implements EventSubscriberInterface
  35. {
  37.     /**
  38.      * @var LoggerInterface
  39.      */
  40.     private LoggerInterface $logger;
  42.     /**
  43.      * @var TokenStorageInterface
  44.      */
  45.     private TokenStorageInterface $tokenStorage;
  47.     /**
  48.      * @var CsrfTokenManagerInterface
  49.      */
  50.     private CsrfTokenManagerInterface $csrfTokenManager;
  52.     /**
  53.      * CSTFTokenSubscriber constructor.
  54.      *
  55.      * @param LoggerInterface $logger
  56.      * @param TokenStorageInterface $tokenStorage
  57.      * @param CsrfTokenManagerInterface $csrfTokenManager
  58.      */
  59.     public function __construct(
  60.         LoggerInterface $loggerTokenStorageInterface $tokenStorage,
  61.         CsrfTokenManagerInterface $csrfTokenManager
  62.     ) {
  63.         $this->logger $logger;
  64.         $this->tokenStorage $tokenStorage;
  65.         $this->csrfTokenManager $csrfTokenManager;
  66.     }
  68.     /**
  69.      * {@inheritDoc}
  70.      */
  71.     public static function getSubscribedEvents() : array
  72.     {
  73.         return [
  74.             KernelEvents::REQUEST => [
  75.                 [
  76.                     'onRequest',
  77.                     10
  78.                 ]
  79.             ]
  80.         ];
  81.     }
  83.     /**
  84.      * Request event class which checks CSRF Token header
  85.      *
  86.      * @param RequestEvent $event
  87.      */
  88.     public function onRequest(RequestEvent $event) : void
  89.     {
  90.         if (!$event->isMasterRequest()) {
  91.             return;
  92.         }
  94.         if (
  95.                 $event->getRequest()->getMethod() == Request::METHOD_POST
  96.             &&  (
  97.                         preg_match('/^\/api/'$event->getRequest()->getRequestUri())
  98.                     &&  $event->getRequest()->attributes->get('_route') !== 'user_api_login'
  99.                 )
  100.         ) {
  101.             $registration_routes = ['registration_register''registration_check_email''registration_check_phone'];
  102.             $tokenId in_array($event->getRequest()->attributes->get('_route'), $registration_routes) ? 'registration-api-token' 'application-api-token';
  103.             //echo $tokenId; echo $event->getRequest()->headers->get('X-CSRF-TOKEN');
  104.             $csrfToken $event->getRequest()->headers->get('X-CSRF-TOKEN');
  105.             /*if (
  106.                     !$csrfToken
  107.                 ||  !$this->tokenStorage->getToken($tokenId)
  108.             ) {
  109.                 throw new AccessDeniedException('Mandatory CSRF Token missing');
  110.             }
  112.             $storedToken = $this->tokenStorage->getToken($tokenId);
  113.             if (
  114.                     !$storedToken
  115.                 ||  $storedToken != $csrfToken
  116.                 ||  !$this->csrfTokenManager->isTokenValid(new CsrfToken($tokenId, $csrfToken))
  117.             ) {
  118.                 throw new AccessDeniedException('Invalid CSRF Token');
  119.             }*/
  120.         }
  121.     }
  122. }