vendor/shopware/storefront/Framework/Csrf/CsrfRouteListener.php line 76

Open in your IDE?
  1. <?php declare(strict_types=1);
  3. namespace Shopware\Storefront\Framework\Csrf;
  5. use Shopware\Core\Framework\Routing\Annotation\RouteScope;
  6. use Shopware\Core\Framework\Routing\KernelListenerPriorities;
  7. use Shopware\Core\SalesChannelRequest;
  8. use Shopware\Storefront\Framework\Csrf\Exception\InvalidCsrfTokenException;
  9. use Shopware\Storefront\Framework\Routing\StorefrontRouteScope;
  10. use Symfony\Component\EventDispatcher\EventSubscriberInterface;
  11. use Symfony\Component\HttpFoundation\Request;
  12. use Symfony\Component\HttpFoundation\Session\Session;
  13. use Symfony\Component\HttpKernel\Event\ControllerEvent;
  14. use Symfony\Component\HttpKernel\KernelEvents;
  15. use Symfony\Component\Security\Csrf\CsrfToken;
  16. use Symfony\Component\Security\Csrf\CsrfTokenManagerInterface;
  17. use Symfony\Contracts\Translation\TranslatorInterface;
  19. class CsrfRouteListener implements EventSubscriberInterface
  20. {
  21.     /**
  22.      * @var bool
  23.      */
  24.     protected $csrfEnabled;
  26.     /**
  27.      * @var string
  28.      */
  29.     protected $csrfMode;
  31.     /**
  32.      * @var CsrfTokenManagerInterface
  33.      */
  34.     private $csrfTokenManager;
  36.     /**
  37.      * Used to track if the csrf token has already been check for the request
  38.      *
  39.      * @var bool
  40.      */
  41.     private $csrfChecked false;
  43.     /**
  44.      * @var Session
  45.      */
  46.     private $session;
  48.     /**
  49.      * @var TranslatorInterface
  50.      */
  51.     private $translator;
  53.     public function __construct(
  54.         CsrfTokenManagerInterface $csrfTokenManager,
  55.         bool $csrfEnabled,
  56.         string $csrfMode,
  57.         Session $session,
  58.         TranslatorInterface $translator
  59.     ) {
  60.         $this->csrfTokenManager $csrfTokenManager;
  61.         $this->csrfEnabled $csrfEnabled;
  62.         $this->session $session;
  63.         $this->translator $translator;
  64.         $this->csrfMode $csrfMode;
  65.     }
  67.     public static function getSubscribedEvents(): array
  68.     {
  69.         return [
  70.             KernelEvents::CONTROLLER => [
  71.                 ['csrfCheck'KernelListenerPriorities::KERNEL_CONTROLLER_EVENT_CONTEXT_RESOLVE_PRE],
  72.             ],
  73.         ];
  74.     }
  76.     public function csrfCheck(ControllerEvent $event): void
  77.     {
  78.         if (!$this->csrfEnabled || $this->csrfChecked === true) {
  79.             return;
  80.         }
  82.         $request $event->getRequest();
  84.         if ($request->attributes->get(SalesChannelRequest::ATTRIBUTE_CSRF_PROTECTEDtrue) === false) {
  85.             return;
  86.         }
  88.         if ($request->getMethod() !== Request::METHOD_POST) {
  89.             return;
  90.         }
  92.         /** @var RouteScope|null $routeScope */
  93.         $routeScope $request->attributes->get('_routeScope');
  95.         // Only check csrf token on storefront routes
  96.         if ($routeScope === null || !$routeScope->hasScope(StorefrontRouteScope::ID)) {
  97.             return;
  98.         }
  100.         $this->validateCsrfToken($request);
  101.     }
  103.     public function validateCsrfToken(Request $request): void
  104.     {
  105.         $this->csrfChecked true;
  107.         $submittedCSRFToken $request->request->get('_csrf_token');
  109.         if ($this->csrfMode === CsrfModes::MODE_TWIG) {
  110.             $intent $request->attributes->get('_route');
  111.         } else {
  112.             $intent 'ajax';
  113.         }
  114.         $csrfCookies $request->cookies->get('csrf', []);
  115.         if (
  116.             (!isset($csrfCookies[$intent]) || $csrfCookies[$intent] !== $submittedCSRFToken)
  117.             && !$this->csrfTokenManager->isTokenValid(new CsrfToken($intent$submittedCSRFToken))
  118.         ) {
  119.             if ($request->isXmlHttpRequest()) {
  120.                 $this->session->getFlashBag()->add('danger'$this->translator->trans('error.message-403-ajax'));
  121.             } else {
  122.                 $this->session->getFlashBag()->add('danger'$this->translator->trans('error.message-403'));
  123.             }
  125.             throw new InvalidCsrfTokenException();
  126.         }
  127.     }
  128. }