csrf_8php_source.html

<?php


namespace Bitrix\Main\Engine\ActionFilter;


use Bitrix\Main\Context;

use Bitrix\Main\Engine\Controller;

use Bitrix\Main\Error;

use Bitrix\Main\Event;

use Bitrix\Main\EventResult;


final class Csrf extends Base

{

    public const HEADER_WITH_NEW_CSRF = 'X-Bitrix-New-Csrf';

    public const ERROR_INVALID_CSRF = 'invalid_csrf';


    private $enabled;

    private $tokenName;

    private $returnNew;


    public function __construct(bool $enabled = true, string $tokenName = 'sessid', bool $returnNew = true)

    {

        $this->enabled = $enabled;

        $this->tokenName = $tokenName;

        $this->returnNew = $returnNew;

        parent::__construct();

    }


    public function listAllowedScopes()

    {

        return [

            Controller::SCOPE_AJAX,

        ];

    }


    public function onBeforeAction(Event $event)

    {

        if (!$this->enabled)

        {

            return null;

        }


        if (!check_bitrix_sessid($this->tokenName))

        {

            $errorCustomData = [];

            if ($this->returnNew)

            {

                $errorCustomData['csrf'] = bitrix_sessid();

                Context::getCurrent()->getResponse()->addHeader(

                    self::HEADER_WITH_NEW_CSRF, $errorCustomData['csrf']

                );

            }


            $this->addError(new Error(

                'Invalid csrf token',

                self::ERROR_INVALID_CSRF, $errorCustomData

            ));


            return new EventResult(EventResult::ERROR, null, null, $this);

        }


        return null;

    }


}


Bitrix\Main\Context\getCurrent
static getCurrent()
Definition context.php:241

Bitrix\Main\Engine\ActionFilter\Base
Definition base.php:15

Bitrix\Main\Engine\ActionFilter\Base\addError
addError(Error $error)
Definition base.php:80

Bitrix\Main\Engine\ActionFilter\Csrf
Definition csrf.php:14

Bitrix\Main\Engine\ActionFilter\Csrf\onBeforeAction
onBeforeAction(Event $event)
Definition csrf.php:57

Bitrix\Main\Engine\ActionFilter\Csrf\ERROR_INVALID_CSRF
const ERROR_INVALID_CSRF
Definition csrf.php:16

Bitrix\Main\Engine\ActionFilter\Csrf\HEADER_WITH_NEW_CSRF
const HEADER_WITH_NEW_CSRF
Definition csrf.php:15

Bitrix\Main\Engine\ActionFilter\Csrf\__construct
__construct(bool $enabled=true, string $tokenName='sessid', bool $returnNew=true)
Definition csrf.php:38

Bitrix\Main\Engine\ActionFilter\Csrf\listAllowedScopes
listAllowedScopes()
Definition csrf.php:50

Bitrix\Main\Engine\Controller
Definition controller.php:32

Bitrix\Main\Engine\Controller\SCOPE_AJAX
const SCOPE_AJAX
Definition controller.php:34

Bitrix\Main\Error
Definition error.php:14

Bitrix\Main\Event
Definition event.php:5

Bitrix\Main\EventResult
Definition eventresult.php:5

Bitrix\Main\Context
Definition culture.php:9

Bitrix\Main\Engine\ActionFilter
Definition authentication.php:4