vendor/shopware/storefront/Framework/Csrf/CsrfRouteListener.php line 68

Open in your IDE?
  1. <?php declare(strict_types=1);
  3. namespace Shopware\Storefront\Framework\Csrf;
  5. use Shopware\Core\Framework\Routing\Annotation\RouteScope;
  6. use Shopware\Core\Framework\Routing\KernelListenerPriorities;
  7. use Shopware\Core\PlatformRequest;
  8. use Shopware\Core\SalesChannelRequest;
  9. use Shopware\Storefront\Framework\Csrf\Exception\InvalidCsrfTokenException;
  10. use Shopware\Storefront\Framework\Routing\StorefrontRouteScope;
  11. use Symfony\Component\EventDispatcher\EventSubscriberInterface;
  12. use Symfony\Component\HttpFoundation\Request;
  13. use Symfony\Component\HttpKernel\Event\ControllerEvent;
  14. use Symfony\Component\HttpKernel\KernelEvents;
  15. use Symfony\Component\Security\Csrf\CsrfToken;
  16. use Symfony\Component\Security\Csrf\CsrfTokenManagerInterface;
  17. use Symfony\Contracts\Service\ResetInterface;
  18. use Symfony\Contracts\Translation\TranslatorInterface;
  20. class CsrfRouteListener implements EventSubscriberInterfaceResetInterface
  21. {
  22.     /**
  23.      * @var bool
  24.      */
  25.     protected $csrfEnabled;
  27.     /**
  28.      * @var string
  29.      */
  30.     protected $csrfMode;
  32.     private CsrfTokenManagerInterface $csrfTokenManager;
  34.     /**
  35.      * Used to track if the csrf token has already been check for the request
  36.      */
  37.     private bool $csrfChecked false;
  39.     /**
  40.      * @var TranslatorInterface
  41.      */
  42.     private $translator;
  44.     /**
  45.      * @internal
  46.      */
  47.     public function __construct(
  48.         CsrfTokenManagerInterface $csrfTokenManager,
  49.         bool $csrfEnabled,
  50.         string $csrfMode,
  51.         TranslatorInterface $translator
  52.     ) {
  53.         $this->csrfTokenManager $csrfTokenManager;
  54.         $this->csrfEnabled $csrfEnabled;
  55.         $this->translator $translator;
  56.         $this->csrfMode $csrfMode;
  57.     }
  59.     public static function getSubscribedEvents(): array
  60.     {
  61.         return [
  62.             KernelEvents::CONTROLLER => [
  63.                 ['csrfCheck'KernelListenerPriorities::KERNEL_CONTROLLER_EVENT_CONTEXT_RESOLVE_PRE],
  64.             ],
  65.         ];
  66.     }
  68.     public function csrfCheck(ControllerEvent $event): void
  69.     {
  70.         if (!$this->csrfEnabled || $this->csrfChecked === true) {
  71.             return;
  72.         }
  74.         $request $event->getRequest();
  76.         if ($request->attributes->get(SalesChannelRequest::ATTRIBUTE_CSRF_PROTECTEDtrue) === false) {
  77.             return;
  78.         }
  80.         if ($request->getMethod() !== Request::METHOD_POST) {
  81.             return;
  82.         }
  84.         /** @var RouteScope|array $scopes */
  85.         $scopes $request->attributes->get(PlatformRequest::ATTRIBUTE_ROUTE_SCOPE, []);
  87.         if ($scopes instanceof RouteScope) {
  88.             $scopes $scopes->getScopes();
  89.         }
  91.         // Only check csrf token on storefront routes
  92.         if (!\in_array(StorefrontRouteScope::ID$scopestrue)) {
  93.             return;
  94.         }
  96.         $this->validateCsrfToken($request);
  97.     }
  99.     public function validateCsrfToken(Request $request): void
  100.     {
  101.         $this->csrfChecked true;
  103.         $submittedCSRFToken = (string) $request->request->get('_csrf_token');
  105.         if ($this->csrfMode === CsrfModes::MODE_TWIG) {
  106.             $intent = (string) $request->attributes->get('_route');
  107.         } else {
  108.             $intent 'ajax';
  109.         }
  110.         $csrfCookies = (array) $request->cookies->get('csrf');
  111.         if (
  112.             (!isset($csrfCookies[$intent]) || $csrfCookies[$intent] !== $submittedCSRFToken)
  113.             && !$this->csrfTokenManager->isTokenValid(new CsrfToken($intent$submittedCSRFToken))
  114.         ) {
  115.             $session $request->getSession();
  117.             /* @see https://github.com/symfony/symfony/issues/41765 */
  118.             if (method_exists($session'getFlashBag')) {
  119.                 if ($request->isXmlHttpRequest()) {
  120.                     $session->getFlashBag()->add('danger'$this->translator->trans('error.message-403-ajax'));
  121.                 } else {
  122.                     $session->getFlashBag()->add('danger'$this->translator->trans('error.message-403'));
  123.                 }
  124.             }
  126.             throw new InvalidCsrfTokenException();
  127.         }
  128.     }
  130.     public function reset(): void
  131.     {
  132.         $this->csrfChecked false;
  133.     }
  134. }