Open Monograph Press  3.3.0
ApiCsrfMiddleware.inc.php
1 <?php
2 
17 class ApiCsrfMiddleware {
18 
20  protected $_handler = null;
21 
27  public function __construct(APIHandler $handler) {
28  $this->_handler = $handler;
29  }
30 
39  public function __invoke($slimRequest, $response, $next) {
40  if ($this->_isCSRFRequired($slimRequest) && !$this->_isCSRFValid($slimRequest)) {
41  return $response->withJson([
42  'error' => 'form.csrfInvalid',
43  'errorMessage' => __('form.csrfInvalid'),
44  ], 403);
45  }
46  $response = $next($slimRequest, $response);
47  return $response;
48  }
49 
56  protected function _isCSRFRequired($slimRequest) {
57  if ($this->_handler->getApiToken()) {
58  return false;
59  }
60  $server = $slimRequest->getServerParams();
61  return !empty($server['REQUEST_METHOD']) && in_array($server['REQUEST_METHOD'], ['POST', 'PUT', 'DELETE']);
62  }
63 
70  protected function _isCSRFValid($slimRequest) {
71  $server = $slimRequest->getServerParams();
72  if (empty($server['HTTP_X_CSRF_TOKEN'])) {
73  return false;
74  }
75  $session = Application::get()->getRequest()->getSession();
76  return $session && $session->getCSRFToken() === $server['HTTP_X_CSRF_TOKEN'];
77  }
78 }
ApiCsrfMiddleware\_isCSRFRequired
_isCSRFRequired($slimRequest)
Definition: ApiCsrfMiddleware.inc.php:59
APIHandler
Base request API handler.
Definition: APIHandler.inc.php:22
ApiCsrfMiddleware
Slim middleware which requires a CSRF token for POST, PUT and DELETE operations whenever an API Token...
Definition: ApiCsrfMiddleware.inc.php:17
PKPApplication\get
static get()
Definition: PKPApplication.inc.php:235
ApiCsrfMiddleware\_isCSRFValid
_isCSRFValid($slimRequest)
Definition: ApiCsrfMiddleware.inc.php:73
ApiCsrfMiddleware\__construct
__construct(APIHandler $handler)
Definition: ApiCsrfMiddleware.inc.php:30
ApiCsrfMiddleware\$_handler
$_handler
Definition: ApiCsrfMiddleware.inc.php:23
ApiCsrfMiddleware\__invoke
__invoke($slimRequest, $response, $next)
Definition: ApiCsrfMiddleware.inc.php:42