vendor/shopware/storefront/Framework/Csrf/CsrfRouteListener.php line 85

Open in your IDE?
  1. <?php declare(strict_types=1);
  3. namespace Shopware\Storefront\Framework\Csrf;
  5. use Shopware\Core\Framework\Feature;
  6. use Shopware\Core\Framework\Routing\Annotation\RouteScope;
  7. use Shopware\Core\Framework\Routing\KernelListenerPriorities;
  8. use Shopware\Core\PlatformRequest;
  9. use Shopware\Core\SalesChannelRequest;
  10. use Shopware\Storefront\Framework\Csrf\Exception\InvalidCsrfTokenException;
  11. use Shopware\Storefront\Framework\Routing\StorefrontRouteScope;
  12. use Symfony\Component\EventDispatcher\EventSubscriberInterface;
  13. use Symfony\Component\HttpFoundation\Request;
  14. use Symfony\Component\HttpKernel\Event\ControllerEvent;
  15. use Symfony\Component\HttpKernel\KernelEvents;
  16. use Symfony\Component\Security\Csrf\CsrfToken;
  17. use Symfony\Component\Security\Csrf\CsrfTokenManagerInterface;
  18. use Symfony\Contracts\Service\ResetInterface;
  19. use Symfony\Contracts\Translation\TranslatorInterface;
  21. /**
  22.  * @deprecated tag:v6.5.0 - reason:becomes-internal - will be removed
  23.  */
  24. class CsrfRouteListener implements EventSubscriberInterfaceResetInterface
  25. {
  26.     /**
  27.      * @deprecated tag:v6.5.0 - reason:visibility-change - Will become private and natively typed to bool
  28.      *
  29.      * @var bool
  30.      */
  31.     protected $csrfEnabled;
  33.     /**
  34.      * @deprecated tag:v6.5.0 - reason:visibility-change - Will become private and natively typed to string
  35.      *
  36.      * @var string
  37.      */
  38.     protected $csrfMode;
  40.     private CsrfTokenManagerInterface $csrfTokenManager;
  42.     /**
  43.      * Used to track if the csrf token has already been check for the request
  44.      */
  45.     private bool $csrfChecked false;
  47.     private TranslatorInterface $translator;
  49.     /**
  50.      * @internal
  51.      */
  52.     public function __construct(
  53.         CsrfTokenManagerInterface $csrfTokenManager,
  54.         bool $csrfEnabled,
  55.         string $csrfMode,
  56.         TranslatorInterface $translator
  57.     ) {
  58.         $this->csrfTokenManager $csrfTokenManager;
  59.         $this->csrfEnabled $csrfEnabled;
  60.         $this->translator $translator;
  61.         $this->csrfMode $csrfMode;
  62.     }
  64.     public static function getSubscribedEvents(): array
  65.     {
  66.         if (Feature::isActive('v6.5.0.0')) {
  67.             return [];
  68.         }
  70.         return [
  71.             KernelEvents::CONTROLLER => [
  72.                 ['csrfCheck'KernelListenerPriorities::KERNEL_CONTROLLER_EVENT_CONTEXT_RESOLVE_PRE],
  73.             ],
  74.         ];
  75.     }
  77.     public function csrfCheck(ControllerEvent $event): void
  78.     {
  79.         if (Feature::isActive('v6.5.0.0')) {
  80.             return;
  81.         }
  83.         Feature::triggerDeprecationOrThrow(
  84.             'v6.5.0.0',
  85.             Feature::deprecatedClassMessage(__CLASS__'v6.5.0.0')
  86.         );
  88.         if (!$this->csrfEnabled || $this->csrfChecked === true) {
  89.             return;
  90.         }
  92.         $request $event->getRequest();
  94.         if ($request->attributes->get(SalesChannelRequest::ATTRIBUTE_CSRF_PROTECTEDtrue) === false) {
  95.             return;
  96.         }
  98.         if ($request->getMethod() !== Request::METHOD_POST) {
  99.             return;
  100.         }
  102.         /** @var RouteScope|list<string> $scopes */
  103.         $scopes $request->attributes->get(PlatformRequest::ATTRIBUTE_ROUTE_SCOPE, []);
  105.         if ($scopes instanceof RouteScope) {
  106.             $scopes $scopes->getScopes();
  107.         }
  109.         // Only check csrf token on storefront routes
  110.         if (!\in_array(StorefrontRouteScope::ID$scopestrue)) {
  111.             return;
  112.         }
  114.         $this->validateCsrfToken($request);
  115.     }
  117.     /**
  118.      * @deprecated tag:v6.5.0 - reason:visibility-change - method will become private in v6.5.0
  119.      */
  120.     public function validateCsrfToken(Request $request): void
  121.     {
  122.         Feature::triggerDeprecationOrThrow(
  123.             'v6.5.0.0',
  124.             Feature::deprecatedClassMessage(__CLASS__'v6.5.0.0')
  125.         );
  127.         $this->csrfChecked true;
  129.         $submittedCSRFToken = (string) $request->request->get('_csrf_token');
  131.         if ($this->csrfMode === CsrfModes::MODE_TWIG) {
  132.             $intent = (string) $request->attributes->get('_route');
  133.         } else {
  134.             $intent 'ajax';
  135.         }
  136.         $csrfCookies = (array) $request->cookies->get('csrf');
  137.         if (
  138.             (!isset($csrfCookies[$intent]) || $csrfCookies[$intent] !== $submittedCSRFToken)
  139.             && !$this->csrfTokenManager->isTokenValid(new CsrfToken($intent$submittedCSRFToken))
  140.         ) {
  141.             $session $request->getSession();
  143.             /* @see https://github.com/symfony/symfony/issues/41765 */
  144.             if (method_exists($session'getFlashBag')) {
  145.                 if ($request->isXmlHttpRequest()) {
  146.                     $session->getFlashBag()->add('danger'$this->translator->trans('error.message-403-ajax'));
  147.                 } else {
  148.                     $session->getFlashBag()->add('danger'$this->translator->trans('error.message-403'));
  149.                 }
  150.             }
  152.             throw new InvalidCsrfTokenException();
  153.         }
  154.     }
  156.     public function reset(): void
  157.     {
  158.         $this->csrfChecked false;
  159.     }
  160. }