vendor/symfony/security-csrf/CsrfTokenManager.php line 52

Open in your IDE?
  1. <?php
  3. /*
  4. * This file is part of the Symfony package.
  5. *
  6. * (c) Fabien Potencier <fabien@symfony.com>
  7. *
  8. * For the full copyright and license information, please view the LICENSE
  9. * file that was distributed with this source code.
  10. */
  12. namespace Symfony\Component\Security\Csrf;
  14. use Symfony\Component\HttpFoundation\RequestStack;
  15. use Symfony\Component\Security\Core\Exception\InvalidArgumentException;
  16. use Symfony\Component\Security\Csrf\TokenGenerator\TokenGeneratorInterface;
  17. use Symfony\Component\Security\Csrf\TokenGenerator\UriSafeTokenGenerator;
  18. use Symfony\Component\Security\Csrf\TokenStorage\NativeSessionTokenStorage;
  19. use Symfony\Component\Security\Csrf\TokenStorage\TokenStorageInterface;
  21. /**
  22. * Default implementation of {@link CsrfTokenManagerInterface}.
  23. *
  24. * @author Bernhard Schussek <bschussek@gmail.com>
  25. * @author Kévin Dunglas <dunglas@gmail.com>
  26. */
  27. class CsrfTokenManager implements CsrfTokenManagerInterface
  28. {
  29. private $generator;
  30. private $storage;
  31. private $namespace;
  33. /**
  34. * @param string|RequestStack|callable|null $namespace
  35. * * null: generates a namespace using $_SERVER['HTTPS']
  36. * * string: uses the given string
  37. * * RequestStack: generates a namespace using the current main request
  38. * * callable: uses the result of this callable (must return a string)
  39. */
  40. public function __construct(?TokenGeneratorInterface $generator = null, ?TokenStorageInterface $storage = null, $namespace = null)
  41. {
  42. $this->generator = $generator ?? new UriSafeTokenGenerator();
  43. $this->storage = $storage ?? new NativeSessionTokenStorage();
  45. $superGlobalNamespaceGenerator = function () {
  46. return !empty($_SERVER['HTTPS']) && 'off' !== strtolower($_SERVER['HTTPS']) ? 'https-' : '';
  47. };
  49. if (null === $namespace) {
  50. $this->namespace = $superGlobalNamespaceGenerator;
  51. } elseif ($namespace instanceof RequestStack) {
  52. $this->namespace = function () use ($namespace, $superGlobalNamespaceGenerator) {
  53. if ($request = $namespace->getMainRequest()) {
  54. return $request->isSecure() ? 'https-' : '';
  55. }
  57. return $superGlobalNamespaceGenerator();
  58. };
  59. } elseif (\is_callable($namespace) || \is_string($namespace)) {
  60. $this->namespace = $namespace;
  61. } else {
  62. throw new InvalidArgumentException(sprintf('$namespace must be a string, a callable returning a string, null or an instance of "RequestStack". "%s" given.', get_debug_type($namespace)));
  63. }
  64. }
  66. /**
  67. * {@inheritdoc}
  68. */
  69. public function getToken(string $tokenId)
  70. {
  71. $namespacedId = $this->getNamespace().$tokenId;
  72. if ($this->storage->hasToken($namespacedId)) {
  73. $value = $this->storage->getToken($namespacedId);
  74. } else {
  75. $value = $this->generator->generateToken();
  77. $this->storage->setToken($namespacedId, $value);
  78. }
  80. return new CsrfToken($tokenId, $this->randomize($value));
  81. }
  83. /**
  84. * {@inheritdoc}
  85. */
  86. public function refreshToken(string $tokenId)
  87. {
  88. $namespacedId = $this->getNamespace().$tokenId;
  89. $value = $this->generator->generateToken();
  91. $this->storage->setToken($namespacedId, $value);
  93. return new CsrfToken($tokenId, $this->randomize($value));
  94. }
  96. /**
  97. * {@inheritdoc}
  98. */
  99. public function removeToken(string $tokenId)
  100. {
  101. return $this->storage->removeToken($this->getNamespace().$tokenId);
  102. }
  104. /**
  105. * {@inheritdoc}
  106. */
  107. public function isTokenValid(CsrfToken $token)
  108. {
  109. $namespacedId = $this->getNamespace().$token->getId();
  110. if (!$this->storage->hasToken($namespacedId)) {
  111. return false;
  112. }
  114. return hash_equals($this->storage->getToken($namespacedId), $this->derandomize($token->getValue()));
  115. }
  117. private function getNamespace(): string
  118. {
  119. return \is_callable($ns = $this->namespace) ? $ns() : $ns;
  120. }
  122. private function randomize(string $value): string
  123. {
  124. $key = random_bytes(32);
  125. $value = $this->xor($value, $key);
  127. return sprintf('%s.%s.%s', substr(md5($key), 0, 1 + (\ord($key[0]) % 32)), rtrim(strtr(base64_encode($key), '+/', '-_'), '='), rtrim(strtr(base64_encode($value), '+/', '-_'), '='));
  128. }
  130. private function derandomize(string $value): string
  131. {
  132. $parts = explode('.', $value);
  133. if (3 !== \count($parts)) {
  134. return $value;
  135. }
  136. $key = base64_decode(strtr($parts[1], '-_', '+/'));
  137. if ('' === $key || false === $key) {
  138. return $value;
  139. }
  140. $value = base64_decode(strtr($parts[2], '-_', '+/'));
  142. return $this->xor($value, $key);
  143. }
  145. private function xor(string $value, string $key): string
  146. {
  147. if (\strlen($value) > \strlen($key)) {
  148. $key = str_repeat($key, ceil(\strlen($value) / \strlen($key)));
  149. }
  151. return $value ^ $key;
  152. }
  153. }