vendor/shopware/storefront/Framework/Csrf/CsrfRouteListener.php line 64

Open in your IDE?
  1. <?php declare(strict_types=1);
  3. namespace Shopware\Storefront\Framework\Csrf;
  5. use Shopware\Core\Framework\Routing\Annotation\RouteScope;
  6. use Shopware\Core\Framework\Routing\KernelListenerPriorities;
  7. use Shopware\Core\PlatformRequest;
  8. use Shopware\Core\SalesChannelRequest;
  9. use Shopware\Storefront\Framework\Csrf\Exception\InvalidCsrfTokenException;
  10. use Shopware\Storefront\Framework\Routing\StorefrontRouteScope;
  11. use Symfony\Component\EventDispatcher\EventSubscriberInterface;
  12. use Symfony\Component\HttpFoundation\Request;
  13. use Symfony\Component\HttpKernel\Event\ControllerEvent;
  14. use Symfony\Component\HttpKernel\KernelEvents;
  15. use Symfony\Component\Security\Csrf\CsrfToken;
  16. use Symfony\Component\Security\Csrf\CsrfTokenManagerInterface;
  17. use Symfony\Contracts\Translation\TranslatorInterface;
  19. class CsrfRouteListener implements EventSubscriberInterface
  20. {
  21.     /**
  22.      * @var bool
  23.      */
  24.     protected $csrfEnabled;
  26.     /**
  27.      * @var string
  28.      */
  29.     protected $csrfMode;
  31.     private CsrfTokenManagerInterface $csrfTokenManager;
  33.     /**
  34.      * Used to track if the csrf token has already been check for the request
  35.      */
  36.     private bool $csrfChecked false;
  38.     /**
  39.      * @var TranslatorInterface
  40.      */
  41.     private $translator;
  43.     public function __construct(
  44.         CsrfTokenManagerInterface $csrfTokenManager,
  45.         bool $csrfEnabled,
  46.         string $csrfMode,
  47.         TranslatorInterface $translator
  48.     ) {
  49.         $this->csrfTokenManager $csrfTokenManager;
  50.         $this->csrfEnabled $csrfEnabled;
  51.         $this->translator $translator;
  52.         $this->csrfMode $csrfMode;
  53.     }
  55.     public static function getSubscribedEvents(): array
  56.     {
  57.         return [
  58.             KernelEvents::CONTROLLER => [
  59.                 ['csrfCheck'KernelListenerPriorities::KERNEL_CONTROLLER_EVENT_CONTEXT_RESOLVE_PRE],
  60.             ],
  61.         ];
  62.     }
  64.     public function csrfCheck(ControllerEvent $event): void
  65.     {
  66.         if (!$this->csrfEnabled || $this->csrfChecked === true) {
  67.             return;
  68.         }
  70.         $request $event->getRequest();
  72.         if ($request->attributes->get(SalesChannelRequest::ATTRIBUTE_CSRF_PROTECTEDtrue) === false) {
  73.             return;
  74.         }
  76.         if ($request->getMethod() !== Request::METHOD_POST) {
  77.             return;
  78.         }
  80.         /** @var RouteScope|array $scopes */
  81.         $scopes $request->attributes->get(PlatformRequest::ATTRIBUTE_ROUTE_SCOPE, []);
  83.         if ($scopes instanceof RouteScope) {
  84.             $scopes $scopes->getScopes();
  85.         }
  87.         // Only check csrf token on storefront routes
  88.         if (!\in_array(StorefrontRouteScope::ID$scopestrue)) {
  89.             return;
  90.         }
  92.         $this->validateCsrfToken($request);
  93.     }
  95.     public function validateCsrfToken(Request $request): void
  96.     {
  97.         $this->csrfChecked true;
  99.         $submittedCSRFToken = (string) $request->request->get('_csrf_token');
  101.         if ($this->csrfMode === CsrfModes::MODE_TWIG) {
  102.             $intent = (string) $request->attributes->get('_route');
  103.         } else {
  104.             $intent 'ajax';
  105.         }
  106.         $csrfCookies = (array) $request->cookies->get('csrf');
  107.         if (
  108.             (!isset($csrfCookies[$intent]) || $csrfCookies[$intent] !== $submittedCSRFToken)
  109.             && !$this->csrfTokenManager->isTokenValid(new CsrfToken($intent$submittedCSRFToken))
  110.         ) {
  111.             $session $request->getSession();
  113.             /* @see https://github.com/symfony/symfony/issues/41765 */
  114.             if (method_exists($session'getFlashBag')) {
  115.                 if ($request->isXmlHttpRequest()) {
  116.                     $session->getFlashBag()->add('danger'$this->translator->trans('error.message-403-ajax'));
  117.                 } else {
  118.                     $session->getFlashBag()->add('danger'$this->translator->trans('error.message-403'));
  119.                 }
  120.             }
  122.             throw new InvalidCsrfTokenException();
  123.         }
  124.     }
  125. }