Skip to content

Instantly share code, notes, and snippets.

@tegimus

tegimus/VerifyCsrfToken.php

Created August 9, 2018 22:32
Show Gist options
  • Star 6 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save tegimus/4d4755c5ff09fe0170da727d84c37326 to your computer and use it in GitHub Desktop.
Save tegimus/4d4755c5ff09fe0170da727d84c37326 to your computer and use it in GitHub Desktop.
Download ZIP
VerifyCsrfToken middleware for use with Lumen
Raw
VerifyCsrfToken.php
<?php
namespace App\Http\Middleware;
use Closure;
use Symfony\Component\HttpFoundation\Cookie;
use Illuminate\Contracts\Encryption\Encrypter;
use Illuminate\Session\TokenMismatchException;
class VerifyCsrfToken {
/**
* The encrypter implementation.
*
* @var \Illuminate\Contracts\Encryption\Encrypter
*/
protected $encrypter;
/**
* Create a new middleware instance.
*
* @param \Illuminate\Contracts\Encryption\Encrypter $encrypter
* @return void
*/
public function __construct(Encrypter $encrypter) {
$this->encrypter = $encrypter;
}
/**
* Handle an incoming request.
*
* @param \Illuminate\Http\Request $request
* @param \Closure $next
* @return mixed
*
* @throws \Illuminate\Session\TokenMismatchException
*/
public function handle($request, Closure $next) {
if ($this->isReading($request) || $this->tokensMatch($request)) {
$request->session()->regenerateToken();
return $this->addCookieToResponse($request, $next($request));
}
throw new TokenMismatchException;
}
/**
* Determine if the session and input CSRF tokens match.
*
* @param \Illuminate\Http\Request $request
* @return bool
*/
protected function tokensMatch($request) {
$token = $request->input('_token') ?: $request->header('X-CSRF-TOKEN');
if (!$token && $header = $request->header('X-XSRF-TOKEN')) {
$token = $this->encrypter->decrypt($header);
}
return $request->session()->token() == $token;
}
/**
* Add the CSRF token to the response cookies.
*
* @param \Illuminate\Http\Request $request
* @param \Illuminate\Http\Response $response
* @return \Illuminate\Http\Response
*/
protected function addCookieToResponse($request, $response) {
$response->headers->setCookie(
new Cookie('XSRF-TOKEN', $request->session()->token(), time() + 60 * 120, '/', null, false, false)
);
return $response;
}
/**
* Determine if the HTTP request uses a ‘read’ verb.
*
* @param \Illuminate\Http\Request $request
* @return bool
*/
protected function isReading($request) {
return in_array($request->method(), ['HEAD', 'GET', 'OPTIONS']);
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment