You are here

class AnonymousCsrfTokenGenerator in Anonymous CSRF Token 2.x

Class AnonymousCsrfTokenGenerator.

@package Drupal\anonymous_token\Access

Hierarchy

Expanded class hierarchy of AnonymousCsrfTokenGenerator

1 string reference to 'AnonymousCsrfTokenGenerator'
anonymous_token.services.yml in ./anonymous_token.services.yml
anonymous_token.services.yml
1 service uses AnonymousCsrfTokenGenerator
anonymous_token.csrf_token in ./anonymous_token.services.yml
Drupal\anonymous_token\Access\AnonymousCsrfTokenGenerator

File

src/Access/AnonymousCsrfTokenGenerator.php, line 17

Namespace

Drupal\anonymous_token\Access
View source
class AnonymousCsrfTokenGenerator extends CsrfTokenGenerator {

  /**
   * The session.
   *
   * @var \Symfony\Component\HttpFoundation\Session\SessionInterface
   */
  protected $session;

  /**
   * A configuration object containing settings.
   *
   * @var \Drupal\Core\Config\ImmutableConfig
   */
  protected $config;

  /**
   * The current user on the website.
   *
   * @var \Drupal\Core\Session\AccountProxyInterface
   */
  protected $currentUser;

  /**
   * Constructs the token generator.
   *
   * @param \Drupal\Core\PrivateKey $private_key
   *   The private key service.
   * @param \Drupal\Core\Session\MetadataBag $session_metadata
   *   The session metadata bag.
   * @param \Symfony\Component\HttpFoundation\Session\SessionInterface $session
   *   The session.
   * @param \Drupal\Core\Config\ConfigFactoryInterface $config_factory
   *   The factory for configuration objects.
   * @param \Drupal\Core\Session\AccountProxyInterface $account_proxy
   *   The account proxy.
   */
  public function __construct(PrivateKey $private_key, MetadataBag $session_metadata, SessionInterface $session, ConfigFactoryInterface $config_factory, AccountProxyInterface $account_proxy) {
    parent::__construct($private_key, $session_metadata);
    $this->session = $session;
    $this->config = $config_factory
      ->get('anonymous_token.settings');
    $this->currentUser = $account_proxy;
  }

  /**
   * {@inheritdoc}
   *
   * We need to set a value in the session for anonymous users so that the
   * session is persistent across multiple requests.
   *
   * @see https://drupal.stackexchange.com/questions/222353
   */
  public function get($value = '') {
    if ($this->session
      ->isStarted() === FALSE) {
      $this->session
        ->set('anon_session_id', $this->session
        ->getId());
    }
    return parent::get($value);
  }

  /**
   * {@inheritdoc}
   *
   * To leverage single use CSRF tokens, we reset the CSRF seed after a match.
   */
  public function validate($token, $value = '') {
    $valid = parent::validate($token, $value);
    if ($valid === TRUE && $this->currentUser
      ->isAnonymous() && (bool) $this->config
      ->get('force_single_use') === TRUE) {
      $this->sessionMetadata
        ->clearCsrfTokenSeed();
    }
    return $valid;
  }

}

Members

Namesort descending Modifiers Type Description Overrides
AnonymousCsrfTokenGenerator::$config protected property A configuration object containing settings.
AnonymousCsrfTokenGenerator::$currentUser protected property The current user on the website.
AnonymousCsrfTokenGenerator::$session protected property The session.
AnonymousCsrfTokenGenerator::get public function We need to set a value in the session for anonymous users so that the session is persistent across multiple requests. Overrides CsrfTokenGenerator::get
AnonymousCsrfTokenGenerator::validate public function To leverage single use CSRF tokens, we reset the CSRF seed after a match. Overrides CsrfTokenGenerator::validate
AnonymousCsrfTokenGenerator::__construct public function Constructs the token generator. Overrides CsrfTokenGenerator::__construct
CsrfTokenGenerator::$privateKey protected property The private key service.
CsrfTokenGenerator::$sessionMetadata protected property The session metadata bag.
CsrfTokenGenerator::computeToken protected function Generates a token based on $value, the token seed, and the private key.