platform/src/Storefront/Framework/Csrf/CsrfRouteListener.php line 63

Open in your IDE?
  1. <?php declare(strict_types=1);
  3. namespace Shopware\Storefront\Framework\Csrf;
  5. use Shopware\Core\Framework\Routing\Annotation\RouteScope;
  6. use Shopware\Core\Framework\Routing\KernelListenerPriorities;
  7. use Shopware\Core\SalesChannelRequest;
  8. use Shopware\Storefront\Framework\Csrf\Exception\InvalidCsrfTokenException;
  9. use Shopware\Storefront\Framework\Routing\StorefrontRouteScope;
  10. use Symfony\Component\EventDispatcher\EventSubscriberInterface;
  11. use Symfony\Component\HttpFoundation\Request;
  12. use Symfony\Component\HttpKernel\Event\ControllerEvent;
  13. use Symfony\Component\HttpKernel\KernelEvents;
  14. use Symfony\Component\Security\Csrf\CsrfToken;
  15. use Symfony\Component\Security\Csrf\CsrfTokenManagerInterface;
  16. use Symfony\Contracts\Translation\TranslatorInterface;
  18. class CsrfRouteListener implements EventSubscriberInterface
  19. {
  20.     /**
  21.      * @var bool
  22.      */
  23.     protected $csrfEnabled;
  25.     /**
  26.      * @var string
  27.      */
  28.     protected $csrfMode;
  30.     private CsrfTokenManagerInterface $csrfTokenManager;
  32.     /**
  33.      * Used to track if the csrf token has already been check for the request
  34.      */
  35.     private bool $csrfChecked false;
  37.     /**
  38.      * @var TranslatorInterface
  39.      */
  40.     private $translator;
  42.     public function __construct(
  43.         CsrfTokenManagerInterface $csrfTokenManager,
  44.         bool $csrfEnabled,
  45.         string $csrfMode,
  46.         TranslatorInterface $translator
  47.     ) {
  48.         $this->csrfTokenManager $csrfTokenManager;
  49.         $this->csrfEnabled $csrfEnabled;
  50.         $this->translator $translator;
  51.         $this->csrfMode $csrfMode;
  52.     }
  54.     public static function getSubscribedEvents(): array
  55.     {
  56.         return [
  57.             KernelEvents::CONTROLLER => [
  58.                 ['csrfCheck'KernelListenerPriorities::KERNEL_CONTROLLER_EVENT_CONTEXT_RESOLVE_PRE],
  59.             ],
  60.         ];
  61.     }
  63.     public function csrfCheck(ControllerEvent $event): void
  64.     {
  65.         if (!$this->csrfEnabled || $this->csrfChecked === true) {
  66.             return;
  67.         }
  69.         $request $event->getRequest();
  71.         if ($request->attributes->get(SalesChannelRequest::ATTRIBUTE_CSRF_PROTECTEDtrue) === false) {
  72.             return;
  73.         }
  75.         if ($request->getMethod() !== Request::METHOD_POST) {
  76.             return;
  77.         }
  79.         /** @var RouteScope|null $routeScope */
  80.         $routeScope $request->attributes->get('_routeScope');
  82.         // Only check csrf token on storefront routes
  83.         if ($routeScope === null || !$routeScope->hasScope(StorefrontRouteScope::ID)) {
  84.             return;
  85.         }
  87.         $this->validateCsrfToken($request);
  88.     }
  90.     public function validateCsrfToken(Request $request): void
  91.     {
  92.         $this->csrfChecked true;
  94.         $submittedCSRFToken = (string) $request->request->get('_csrf_token');
  96.         if ($this->csrfMode === CsrfModes::MODE_TWIG) {
  97.             $intent = (string) $request->attributes->get('_route');
  98.         } else {
  99.             $intent 'ajax';
  100.         }
  101.         $csrfCookies = (array) $request->cookies->get('csrf');
  102.         if (
  103.             (!isset($csrfCookies[$intent]) || $csrfCookies[$intent] !== $submittedCSRFToken)
  104.             && !$this->csrfTokenManager->isTokenValid(new CsrfToken($intent$submittedCSRFToken))
  105.         ) {
  106.             $session $request->getSession();
  108.             /* @see https://github.com/symfony/symfony/issues/41765 */
  109.             if (method_exists($session'getFlashBag')) {
  110.                 if ($request->isXmlHttpRequest()) {
  111.                     $session->getFlashBag()->add('danger'$this->translator->trans('error.message-403-ajax'));
  112.                 } else {
  113.                     $session->getFlashBag()->add('danger'$this->translator->trans('error.message-403'));
  114.                 }
  115.             }
  117.             throw new InvalidCsrfTokenException();
  118.         }
  119.     }
  120. }