vendor/shopware/storefront/Framework/Csrf/CsrfRouteListener.php line 87

Open in your IDE?
  1. <?php declare(strict_types=1);
  3. namespace Shopware\Storefront\Framework\Csrf;
  5. use Shopware\Core\Framework\Feature;
  6. use Shopware\Core\Framework\Log\Package;
  7. use Shopware\Core\Framework\Routing\Annotation\RouteScope;
  8. use Shopware\Core\Framework\Routing\KernelListenerPriorities;
  9. use Shopware\Core\PlatformRequest;
  10. use Shopware\Core\SalesChannelRequest;
  11. use Shopware\Storefront\Framework\Csrf\Exception\InvalidCsrfTokenException;
  12. use Shopware\Storefront\Framework\Routing\StorefrontRouteScope;
  13. use Symfony\Component\EventDispatcher\EventSubscriberInterface;
  14. use Symfony\Component\HttpFoundation\Request;
  15. use Symfony\Component\HttpKernel\Event\ControllerEvent;
  16. use Symfony\Component\HttpKernel\KernelEvents;
  17. use Symfony\Component\Security\Csrf\CsrfToken;
  18. use Symfony\Component\Security\Csrf\CsrfTokenManagerInterface;
  19. use Symfony\Contracts\Service\ResetInterface;
  20. use Symfony\Contracts\Translation\TranslatorInterface;
  22. /**
  23.  * @deprecated tag:v6.5.0 - reason:becomes-internal - will be removed
  24.  */
  25. #[Package('storefront')]
  26. class CsrfRouteListener implements EventSubscriberInterfaceResetInterface
  27. {
  28.     /**
  29.      * @deprecated tag:v6.5.0 - reason:visibility-change - Will become private and natively typed to bool
  30.      *
  31.      * @var bool
  32.      */
  33.     protected $csrfEnabled;
  35.     /**
  36.      * @deprecated tag:v6.5.0 - reason:visibility-change - Will become private and natively typed to string
  37.      *
  38.      * @var string
  39.      */
  40.     protected $csrfMode;
  42.     private CsrfTokenManagerInterface $csrfTokenManager;
  44.     /**
  45.      * Used to track if the csrf token has already been check for the request
  46.      */
  47.     private bool $csrfChecked false;
  49.     private TranslatorInterface $translator;
  51.     /**
  52.      * @internal
  53.      */
  54.     public function __construct(
  55.         CsrfTokenManagerInterface $csrfTokenManager,
  56.         bool $csrfEnabled,
  57.         string $csrfMode,
  58.         TranslatorInterface $translator
  59.     ) {
  60.         $this->csrfTokenManager $csrfTokenManager;
  61.         $this->csrfEnabled $csrfEnabled;
  62.         $this->translator $translator;
  63.         $this->csrfMode $csrfMode;
  64.     }
  66.     public static function getSubscribedEvents(): array
  67.     {
  68.         if (Feature::isActive('v6.5.0.0')) {
  69.             return [];
  70.         }
  72.         return [
  73.             KernelEvents::CONTROLLER => [
  74.                 ['csrfCheck'KernelListenerPriorities::KERNEL_CONTROLLER_EVENT_CONTEXT_RESOLVE_PRE],
  75.             ],
  76.         ];
  77.     }
  79.     public function csrfCheck(ControllerEvent $event): void
  80.     {
  81.         if (Feature::isActive('v6.5.0.0')) {
  82.             return;
  83.         }
  85.         Feature::triggerDeprecationOrThrow(
  86.             'v6.5.0.0',
  87.             Feature::deprecatedClassMessage(__CLASS__'v6.5.0.0')
  88.         );
  90.         if (!$this->csrfEnabled || $this->csrfChecked === true) {
  91.             return;
  92.         }
  94.         $request $event->getRequest();
  96.         if ($request->attributes->get(SalesChannelRequest::ATTRIBUTE_CSRF_PROTECTEDtrue) === false) {
  97.             return;
  98.         }
  100.         if ($request->getMethod() !== Request::METHOD_POST) {
  101.             return;
  102.         }
  104.         /** @var RouteScope|list<string> $scopes */
  105.         $scopes $request->attributes->get(PlatformRequest::ATTRIBUTE_ROUTE_SCOPE, []);
  107.         if ($scopes instanceof RouteScope) {
  108.             $scopes $scopes->getScopes();
  109.         }
  111.         // Only check csrf token on storefront routes
  112.         if (!\in_array(StorefrontRouteScope::ID$scopestrue)) {
  113.             return;
  114.         }
  116.         $this->validateCsrfToken($request);
  117.     }
  119.     /**
  120.      * @deprecated tag:v6.5.0 - reason:visibility-change - method will become private in v6.5.0
  121.      */
  122.     public function validateCsrfToken(Request $request): void
  123.     {
  124.         Feature::triggerDeprecationOrThrow(
  125.             'v6.5.0.0',
  126.             Feature::deprecatedClassMessage(__CLASS__'v6.5.0.0')
  127.         );
  129.         $this->csrfChecked true;
  131.         $submittedCSRFToken = (string) $request->request->get('_csrf_token');
  133.         if ($this->csrfMode === CsrfModes::MODE_TWIG) {
  134.             $intent = (string) $request->attributes->get('_route');
  135.         } else {
  136.             $intent 'ajax';
  137.         }
  138.         $csrfCookies = (array) $request->cookies->get('csrf');
  139.         if (
  140.             (!isset($csrfCookies[$intent]) || $csrfCookies[$intent] !== $submittedCSRFToken)
  141.             && !$this->csrfTokenManager->isTokenValid(new CsrfToken($intent$submittedCSRFToken))
  142.         ) {
  143.             $session $request->getSession();
  145.             /* @see https://github.com/symfony/symfony/issues/41765 */
  146.             if (method_exists($session'getFlashBag')) {
  147.                 if ($request->isXmlHttpRequest()) {
  148.                     $session->getFlashBag()->add('danger'$this->translator->trans('error.message-403-ajax'));
  149.                 } else {
  150.                     $session->getFlashBag()->add('danger'$this->translator->trans('error.message-403'));
  151.                 }
  152.             }
  154.             throw new InvalidCsrfTokenException();
  155.         }
  156.     }
  158.     public function reset(): void
  159.     {
  160.         $this->csrfChecked false;
  161.     }
  162. }