Created
August 9, 2018 22:32
-
-
Save tegimus/4d4755c5ff09fe0170da727d84c37326 to your computer and use it in GitHub Desktop.
VerifyCsrfToken middleware for use with Lumen
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?php | |
| namespace App\Http\Middleware; | |
| use Closure; | |
| use Symfony\Component\HttpFoundation\Cookie; | |
| use Illuminate\Contracts\Encryption\Encrypter; | |
| use Illuminate\Session\TokenMismatchException; | |
| class VerifyCsrfToken { | |
| /** | |
| * The encrypter implementation. | |
| * | |
| * @var \Illuminate\Contracts\Encryption\Encrypter | |
| */ | |
| protected $encrypter; | |
| /** | |
| * Create a new middleware instance. | |
| * | |
| * @param \Illuminate\Contracts\Encryption\Encrypter $encrypter | |
| * @return void | |
| */ | |
| public function __construct(Encrypter $encrypter) { | |
| $this->encrypter = $encrypter; | |
| } | |
| /** | |
| * Handle an incoming request. | |
| * | |
| * @param \Illuminate\Http\Request $request | |
| * @param \Closure $next | |
| * @return mixed | |
| * | |
| * @throws \Illuminate\Session\TokenMismatchException | |
| */ | |
| public function handle($request, Closure $next) { | |
| if ($this->isReading($request) || $this->tokensMatch($request)) { | |
| $request->session()->regenerateToken(); | |
| return $this->addCookieToResponse($request, $next($request)); | |
| } | |
| throw new TokenMismatchException; | |
| } | |
| /** | |
| * Determine if the session and input CSRF tokens match. | |
| * | |
| * @param \Illuminate\Http\Request $request | |
| * @return bool | |
| */ | |
| protected function tokensMatch($request) { | |
| $token = $request->input('_token') ?: $request->header('X-CSRF-TOKEN'); | |
| if (!$token && $header = $request->header('X-XSRF-TOKEN')) { | |
| $token = $this->encrypter->decrypt($header); | |
| } | |
| return $request->session()->token() == $token; | |
| } | |
| /** | |
| * Add the CSRF token to the response cookies. | |
| * | |
| * @param \Illuminate\Http\Request $request | |
| * @param \Illuminate\Http\Response $response | |
| * @return \Illuminate\Http\Response | |
| */ | |
| protected function addCookieToResponse($request, $response) { | |
| $response->headers->setCookie( | |
| new Cookie('XSRF-TOKEN', $request->session()->token(), time() + 60 * 120, '/', null, false, false) | |
| ); | |
| return $response; | |
| } | |
| /** | |
| * Determine if the HTTP request uses a ‘read’ verb. | |
| * | |
| * @param \Illuminate\Http\Request $request | |
| * @return bool | |
| */ | |
| protected function isReading($request) { | |
| return in_array($request->method(), ['HEAD', 'GET', 'OPTIONS']); | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment