2022-12-05 19:27:42 +00:00
|
|
|
|
<?php
|
|
|
|
|
|
|
|
|
|
|
|
namespace App\Http\Middleware;
|
|
|
|
|
|
|
|
|
|
|
|
use Closure;
|
2022-12-15 04:36:34 +00:00
|
|
|
|
use Illuminate\Support\Facades\Log;
|
2022-12-05 19:27:42 +00:00
|
|
|
|
use Symfony\Component\HttpFoundation\Cookie;
|
|
|
|
|
|
use Illuminate\Contracts\Encryption\Encrypter;
|
|
|
|
|
|
use Illuminate\Session\TokenMismatchException;
|
|
|
|
|
|
|
|
|
|
|
|
class VerifyCsrfToken {
|
|
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
|
* The encrypter implementation.
|
|
|
|
|
|
*
|
|
|
|
|
|
* @var \Illuminate\Contracts\Encryption\Encrypter
|
|
|
|
|
|
*/
|
|
|
|
|
|
protected $encrypter;
|
|
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
|
* Create a new middleware instance.
|
|
|
|
|
|
*
|
|
|
|
|
|
* @param \Illuminate\Contracts\Encryption\Encrypter $encrypter
|
|
|
|
|
|
* @return void
|
|
|
|
|
|
*/
|
|
|
|
|
|
public function __construct(Encrypter $encrypter) {
|
|
|
|
|
|
$this->encrypter = $encrypter;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
|
* Handle an incoming request.
|
|
|
|
|
|
*
|
|
|
|
|
|
* @param \Illuminate\Http\Request $request
|
|
|
|
|
|
* @param \Closure $next
|
|
|
|
|
|
* @return mixed
|
|
|
|
|
|
*
|
|
|
|
|
|
* @throws \Illuminate\Session\TokenMismatchException
|
|
|
|
|
|
*/
|
|
|
|
|
|
public function handle($request, Closure $next) {
|
|
|
|
|
|
if ($this->isReading($request) || $this->tokensMatch($request)) {
|
|
|
|
|
|
$request->session()->regenerateToken();
|
|
|
|
|
|
return $this->addCookieToResponse($request, $next($request));
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
throw new TokenMismatchException;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
|
* Determine if the session and input CSRF tokens match.
|
|
|
|
|
|
*
|
|
|
|
|
|
* @param \Illuminate\Http\Request $request
|
|
|
|
|
|
* @return bool
|
|
|
|
|
|
*/
|
|
|
|
|
|
protected function tokensMatch($request) {
|
|
|
|
|
|
$token = $request->input('_token') ?: $request->header('X-CSRF-TOKEN');
|
|
|
|
|
|
|
|
|
|
|
|
if (!$token && $header = $request->header('X-XSRF-TOKEN')) {
|
|
|
|
|
|
$token = $this->encrypter->decrypt($header);
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
return $request->session()->token() == $token;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
|
* Add the CSRF token to the response cookies.
|
|
|
|
|
|
*
|
|
|
|
|
|
* @param \Illuminate\Http\Request $request
|
|
|
|
|
|
* @param \Illuminate\Http\Response $response
|
|
|
|
|
|
* @return \Illuminate\Http\Response
|
|
|
|
|
|
*/
|
|
|
|
|
|
protected function addCookieToResponse($request, $response) {
|
|
|
|
|
|
$response->headers->setCookie(
|
|
|
|
|
|
new Cookie('XSRF-TOKEN', $request->session()->token(), time() + 60 * 120, '/', null, false, false)
|
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
|
|
return $response;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
|
* Determine if the HTTP request uses a ‘read’ verb.
|
|
|
|
|
|
*
|
|
|
|
|
|
* @param \Illuminate\Http\Request $request
|
|
|
|
|
|
* @return bool
|
|
|
|
|
|
*/
|
|
|
|
|
|
protected function isReading($request) {
|
|
|
|
|
|
return in_array($request->method(), ['HEAD', 'GET', 'OPTIONS']);
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
}
|
