vendor/symfony/security-csrf/CsrfTokenManager.php line 52

  1. <?php
  3. /*
  4. * This file is part of the Symfony package.
  5. *
  6. * (c) Fabien Potencier <fabien@symfony.com>
  7. *
  8. * For the full copyright and license information, please view the LICENSE
  9. * file that was distributed with this source code.
  10. */
  12. namespace Symfony\Component\Security\Csrf;
  14. use Symfony\Component\HttpFoundation\RequestStack;
  15. use Symfony\Component\Security\Core\Exception\InvalidArgumentException;
  16. use Symfony\Component\Security\Csrf\TokenGenerator\TokenGeneratorInterface;
  17. use Symfony\Component\Security\Csrf\TokenGenerator\UriSafeTokenGenerator;
  18. use Symfony\Component\Security\Csrf\TokenStorage\NativeSessionTokenStorage;
  19. use Symfony\Component\Security\Csrf\TokenStorage\TokenStorageInterface;
  21. /**
  22. * Default implementation of {@link CsrfTokenManagerInterface}.
  23. *
  24. * @author Bernhard Schussek <bschussek@gmail.com>
  25. * @author Kévin Dunglas <dunglas@gmail.com>
  26. */
  27. class CsrfTokenManager implements CsrfTokenManagerInterface
  28. {
  29. private TokenGeneratorInterface $generator;
  30. private TokenStorageInterface $storage;
  31. private \Closure|string $namespace;
  33. /**
  34. * @param $namespace
  35. * * null: generates a namespace using $_SERVER['HTTPS']
  36. * * string: uses the given string
  37. * * RequestStack: generates a namespace using the current main request
  38. * * callable: uses the result of this callable (must return a string)
  39. */
  40. public function __construct(?TokenGeneratorInterface $generator = null, ?TokenStorageInterface $storage = null, string|RequestStack|callable|null $namespace = null)
  41. {
  42. $this->generator = $generator ?? new UriSafeTokenGenerator();
  43. $this->storage = $storage ?? new NativeSessionTokenStorage();
  45. $superGlobalNamespaceGenerator = fn () => !empty($_SERVER['HTTPS']) && 'off' !== strtolower($_SERVER['HTTPS']) ? 'https-' : '';
  47. if (null === $namespace) {
  48. $this->namespace = $superGlobalNamespaceGenerator;
  49. } elseif ($namespace instanceof RequestStack) {
  50. $this->namespace = function () use ($namespace, $superGlobalNamespaceGenerator) {
  51. if ($request = $namespace->getMainRequest()) {
  52. return $request->isSecure() ? 'https-' : '';
  53. }
  55. return $superGlobalNamespaceGenerator();
  56. };
  57. } elseif ($namespace instanceof \Closure || \is_string($namespace)) {
  58. $this->namespace = $namespace;
  59. } elseif (\is_callable($namespace)) {
  60. $this->namespace = $namespace(...);
  61. } else {
  62. throw new InvalidArgumentException(sprintf('$namespace must be a string, a callable returning a string, null or an instance of "RequestStack". "%s" given.', get_debug_type($namespace)));
  63. }
  64. }
  66. public function getToken(string $tokenId): CsrfToken
  67. {
  68. $namespacedId = $this->getNamespace().$tokenId;
  69. if ($this->storage->hasToken($namespacedId)) {
  70. $value = $this->storage->getToken($namespacedId);
  71. } else {
  72. $value = $this->generator->generateToken();
  74. $this->storage->setToken($namespacedId, $value);
  75. }
  77. return new CsrfToken($tokenId, $this->randomize($value));
  78. }
  80. public function refreshToken(string $tokenId): CsrfToken
  81. {
  82. $namespacedId = $this->getNamespace().$tokenId;
  83. $value = $this->generator->generateToken();
  85. $this->storage->setToken($namespacedId, $value);
  87. return new CsrfToken($tokenId, $this->randomize($value));
  88. }
  90. public function removeToken(string $tokenId): ?string
  91. {
  92. return $this->storage->removeToken($this->getNamespace().$tokenId);
  93. }
  95. public function isTokenValid(CsrfToken $token): bool
  96. {
  97. $namespacedId = $this->getNamespace().$token->getId();
  98. if (!$this->storage->hasToken($namespacedId)) {
  99. return false;
  100. }
  102. return hash_equals($this->storage->getToken($namespacedId), $this->derandomize($token->getValue()));
  103. }
  105. private function getNamespace(): string
  106. {
  107. return \is_callable($ns = $this->namespace) ? $ns() : $ns;
  108. }
  110. private function randomize(string $value): string
  111. {
  112. $key = random_bytes(32);
  113. $value = $this->xor($value, $key);
  115. return sprintf('%s.%s.%s', substr(hash('xxh128', $key), 0, 1 + (\ord($key[0]) % 32)), rtrim(strtr(base64_encode($key), '+/', '-_'), '='), rtrim(strtr(base64_encode($value), '+/', '-_'), '='));
  116. }
  118. private function derandomize(string $value): string
  119. {
  120. $parts = explode('.', $value);
  121. if (3 !== \count($parts)) {
  122. return $value;
  123. }
  124. $key = base64_decode(strtr($parts[1], '-_', '+/'));
  125. if ('' === $key || false === $key) {
  126. return $value;
  127. }
  128. $value = base64_decode(strtr($parts[2], '-_', '+/'));
  130. return $this->xor($value, $key);
  131. }
  133. private function xor(string $value, string $key): string
  134. {
  135. if (\strlen($value) > \strlen($key)) {
  136. $key = str_repeat($key, ceil(\strlen($value) / \strlen($key)));
  137. }
  139. return $value ^ $key;
  140. }
  141. }