Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Newer
Older
100644 86 lines (76 sloc) 2.143 kb
3a87d80 Csrf protection
miraage authored
1 <?php
a831f4e @silentworks added in namespace to HttpDigestAuth and standardised the usage example ...
silentworks authored
2 /**
3 * CSRF Guard
4 *
5 * Use this middleware with your Slim Framework application
6 * to protect you from CSRF attacks.
7 *
8 * USAGE
9 *
10 * $app = new \Slim\Slim();
11 * $app->add(new \Slim\Extras\Middleware\CsrfGuard());
12 *
13 */
bc0de92 @codeguy Implement namespaces and PSR-2 compliance
authored
14 namespace Slim\Extras\Middleware;
3a87d80 Csrf protection
miraage authored
15
bc0de92 @codeguy Implement namespaces and PSR-2 compliance
authored
16 class CsrfGuard extends \Slim\Middleware
17 {
3a87d80 Csrf protection
miraage authored
18 /**
a32d268 @ziadoz Reverted CsrfGuard behaviour
ziadoz authored
19 * CSRF token key name.
20 *
21 * @var string
22 */
23 protected $key;
3a87d80 Csrf protection
miraage authored
24
73c5962 @ziadoz Added constructor parameter to toggle whether the CSRFGuard should be gr...
ziadoz authored
25 /**
a32d268 @ziadoz Reverted CsrfGuard behaviour
ziadoz authored
26 * Constructor.
27 *
28 * @param string $key The CSRF token key name.
29 * @return void
30 */
31 public function __construct($key = 'csrf_token')
32 {
33 if (! is_string($key) || empty($key) || preg_match('/[^a-zA-Z0-9\-\_]/', $key)) {
34 throw new \OutOfBoundsException('Invalid CSRF token key "' . $key . '"');
35 }
73c5962 @ziadoz Added constructor parameter to toggle whether the CSRFGuard should be gr...
ziadoz authored
36
a32d268 @ziadoz Reverted CsrfGuard behaviour
ziadoz authored
37 $this->key = $key;
38 }
3a87d80 Csrf protection
miraage authored
39
a32d268 @ziadoz Reverted CsrfGuard behaviour
ziadoz authored
40 /**
41 * Call middleware.
42 *
43 * @return void
44 */
45 public function call()
46 {
47 // Attach as hook.
48 $this->app->hook('slim.before', array($this, 'check'));
3a87d80 Csrf protection
miraage authored
49
a32d268 @ziadoz Reverted CsrfGuard behaviour
ziadoz authored
50 // Call next middleware.
51 $this->next->call();
52 }
3a87d80 Csrf protection
miraage authored
53
a32d268 @ziadoz Reverted CsrfGuard behaviour
ziadoz authored
54 /**
55 * Check CSRF token is valid.
56 * Note: Also checks POST data to see if a Moneris RVAR CSRF token exists.
57 *
58 * @return void
59 */
60 public function check() {
61 // Check sessions are enabled.
62 if (session_id() === '') {
63 throw new \Exception('Sessions are required to use the CSRF Guard middleware.');
64 }
1a805c4 @ziadoz Destroy session when CSRF check fails.
ziadoz authored
65
a32d268 @ziadoz Reverted CsrfGuard behaviour
ziadoz authored
66 if (! isset($_SESSION[$this->key])) {
67 $_SESSION[$this->key] = sha1(serialize($_SERVER) . rand(0, 0xffffffff));
68 }
1a805c4 @ziadoz Destroy session when CSRF check fails.
ziadoz authored
69
a32d268 @ziadoz Reverted CsrfGuard behaviour
ziadoz authored
70 $token = $_SESSION[$this->key];
3a87d80 Csrf protection
miraage authored
71
a32d268 @ziadoz Reverted CsrfGuard behaviour
ziadoz authored
72 // Validate the CSRF token.
73 if (in_array($this->app->request()->getMethod(), array('POST', 'PUT', 'DELETE'))) {
1a805c4 @ziadoz Destroy session when CSRF check fails.
ziadoz authored
74 $userToken = $this->app->request()->post($this->key);
75 if ($token !== $userToken) {
a32d268 @ziadoz Reverted CsrfGuard behaviour
ziadoz authored
76 $this->app->halt(400, 'Invalid or missing CSRF token.');
3a87d80 Csrf protection
miraage authored
77 }
a32d268 @ziadoz Reverted CsrfGuard behaviour
ziadoz authored
78 }
3a87d80 Csrf protection
miraage authored
79
a32d268 @ziadoz Reverted CsrfGuard behaviour
ziadoz authored
80 // Assign CSRF token key and value to view.
81 $this->app->view()->appendData(array(
82 'csrf_key' => $this->key,
83 'csrf_token' => $token,
84 ));
85 }
1a805c4 @ziadoz Destroy session when CSRF check fails.
ziadoz authored
86 }
Something went wrong with that request. Please try again.