vendor/shopware/storefront/Framework/Csrf/CsrfRouteListener.php line 72

Open in your IDE?
  1. <?php declare(strict_types=1);
  3. namespace Shopware\Storefront\Framework\Csrf;
  5. use Shopware\Core\Framework\Routing\Annotation\RouteScope;
  6. use Shopware\Core\Framework\Routing\KernelListenerPriorities;
  7. use Shopware\Core\PlatformRequest;
  8. use Shopware\Core\SalesChannelRequest;
  9. use Shopware\Storefront\Framework\Csrf\Exception\InvalidCsrfTokenException;
  10. use Shopware\Storefront\Framework\Routing\StorefrontRouteScope;
  11. use Symfony\Component\EventDispatcher\EventSubscriberInterface;
  12. use Symfony\Component\HttpFoundation\Request;
  13. use Symfony\Component\HttpKernel\Event\ControllerEvent;
  14. use Symfony\Component\HttpKernel\KernelEvents;
  15. use Symfony\Component\Security\Csrf\CsrfToken;
  16. use Symfony\Component\Security\Csrf\CsrfTokenManagerInterface;
  17. use Symfony\Contracts\Service\ResetInterface;
  18. use Symfony\Contracts\Translation\TranslatorInterface;
  20. /**
  21.  * @deprecated tag:v6.5.0 - reason:becomes-internal - EventSubscribers will become internal in v6.5.0
  22.  */
  23. class CsrfRouteListener implements EventSubscriberInterfaceResetInterface
  24. {
  25.     /**
  26.      * @deprecated tag:v6.5.0 - reason:visibility-change - Will become private and natively typed to bool
  27.      *
  28.      * @var bool
  29.      */
  30.     protected $csrfEnabled;
  32.     /**
  33.      * @deprecated tag:v6.5.0 - reason:visibility-change - Will become private and natively typed to string
  34.      *
  35.      * @var string
  36.      */
  37.     protected $csrfMode;
  39.     private CsrfTokenManagerInterface $csrfTokenManager;
  41.     /**
  42.      * Used to track if the csrf token has already been check for the request
  43.      */
  44.     private bool $csrfChecked false;
  46.     private TranslatorInterface $translator;
  48.     /**
  49.      * @internal
  50.      */
  51.     public function __construct(
  52.         CsrfTokenManagerInterface $csrfTokenManager,
  53.         bool $csrfEnabled,
  54.         string $csrfMode,
  55.         TranslatorInterface $translator
  56.     ) {
  57.         $this->csrfTokenManager $csrfTokenManager;
  58.         $this->csrfEnabled $csrfEnabled;
  59.         $this->translator $translator;
  60.         $this->csrfMode $csrfMode;
  61.     }
  63.     public static function getSubscribedEvents(): array
  64.     {
  65.         return [
  66.             KernelEvents::CONTROLLER => [
  67.                 ['csrfCheck'KernelListenerPriorities::KERNEL_CONTROLLER_EVENT_CONTEXT_RESOLVE_PRE],
  68.             ],
  69.         ];
  70.     }
  72.     public function csrfCheck(ControllerEvent $event): void
  73.     {
  74.         if (!$this->csrfEnabled || $this->csrfChecked === true) {
  75.             return;
  76.         }
  78.         $request $event->getRequest();
  80.         if ($request->attributes->get(SalesChannelRequest::ATTRIBUTE_CSRF_PROTECTEDtrue) === false) {
  81.             return;
  82.         }
  84.         if ($request->getMethod() !== Request::METHOD_POST) {
  85.             return;
  86.         }
  88.         /** @var RouteScope|list<string> $scopes */
  89.         $scopes $request->attributes->get(PlatformRequest::ATTRIBUTE_ROUTE_SCOPE, []);
  91.         if ($scopes instanceof RouteScope) {
  92.             $scopes $scopes->getScopes();
  93.         }
  95.         // Only check csrf token on storefront routes
  96.         if (!\in_array(StorefrontRouteScope::ID$scopestrue)) {
  97.             return;
  98.         }
  100.         $this->validateCsrfToken($request);
  101.     }
  103.     /**
  104.      * @deprecated tag:v6.5.0 - reason:visibility-change - method will become private in v6.5.0
  105.      */
  106.     public function validateCsrfToken(Request $request): void
  107.     {
  108.         $this->csrfChecked true;
  110.         $submittedCSRFToken = (string) $request->request->get('_csrf_token');
  112.         if ($this->csrfMode === CsrfModes::MODE_TWIG) {
  113.             $intent = (string) $request->attributes->get('_route');
  114.         } else {
  115.             $intent 'ajax';
  116.         }
  117.         $csrfCookies = (array) $request->cookies->get('csrf');
  118.         if (
  119.             (!isset($csrfCookies[$intent]) || $csrfCookies[$intent] !== $submittedCSRFToken)
  120.             && !$this->csrfTokenManager->isTokenValid(new CsrfToken($intent$submittedCSRFToken))
  121.         ) {
  122.             $session $request->getSession();
  124.             /* @see https://github.com/symfony/symfony/issues/41765 */
  125.             if (method_exists($session'getFlashBag')) {
  126.                 if ($request->isXmlHttpRequest()) {
  127.                     $session->getFlashBag()->add('danger'$this->translator->trans('error.message-403-ajax'));
  128.                 } else {
  129.                     $session->getFlashBag()->add('danger'$this->translator->trans('error.message-403'));
  130.                 }
  131.             }
  133.             throw new InvalidCsrfTokenException();
  134.         }
  135.     }
  137.     public function reset(): void
  138.     {
  139.         $this->csrfChecked false;
  140.     }
  141. }