You are here

class CsrfTokenGenerator in Drupal 10

Same name and namespace in other branches
  1. 8 core/lib/Drupal/Core/Access/CsrfTokenGenerator.php \Drupal\Core\Access\CsrfTokenGenerator
  2. 9 core/lib/Drupal/Core/Access/CsrfTokenGenerator.php \Drupal\Core\Access\CsrfTokenGenerator

Generates and validates CSRF tokens.

Hierarchy

Expanded class hierarchy of CsrfTokenGenerator

See also

\Drupal\Tests\Core\Access\CsrfTokenGeneratorTest

13 files declare their use of CsrfTokenGenerator
AjaxBasePageNegotiator.php in core/lib/Drupal/Core/Theme/AjaxBasePageNegotiator.php
AjaxBasePageNegotiatorTest.php in core/tests/Drupal/Tests/Core/Theme/AjaxBasePageNegotiatorTest.php
BatchStorage.php in core/lib/Drupal/Core/Batch/BatchStorage.php
CsrfTokenController.php in core/modules/system/src/Controller/CsrfTokenController.php
CsrfTokenGeneratorTest.php in core/tests/Drupal/Tests/Core/Access/CsrfTokenGeneratorTest.php

... See full list

1 string reference to 'CsrfTokenGenerator'
core.services.yml in core/core.services.yml
core/core.services.yml
1 service uses CsrfTokenGenerator
csrf_token in core/core.services.yml
Drupal\Core\Access\CsrfTokenGenerator

File

core/lib/Drupal/Core/Access/CsrfTokenGenerator.php, line 15

Namespace

Drupal\Core\Access
View source
class CsrfTokenGenerator {

  /**
   * The private key service.
   *
   * @var \Drupal\Core\PrivateKey
   */
  protected $privateKey;

  /**
   * The session metadata bag.
   *
   * @var \Drupal\Core\Session\MetadataBag
   */
  protected $sessionMetadata;

  /**
   * Constructs the token generator.
   *
   * @param \Drupal\Core\PrivateKey $private_key
   *   The private key service.
   * @param \Drupal\Core\Session\MetadataBag $session_metadata
   *   The session metadata bag.
   */
  public function __construct(PrivateKey $private_key, MetadataBag $session_metadata) {
    $this->privateKey = $private_key;
    $this->sessionMetadata = $session_metadata;
  }

  /**
   * Generates a token based on $value, the user session, and the private key.
   *
   * The generated token is based on the session of the current user. Normally,
   * anonymous users do not have a session, so the generated token will be
   * different on every page request. To generate a token for users without a
   * session, manually start a session prior to calling this function.
   *
   * @param string $value
   *   (optional) An additional value to base the token on.
   *
   * @return string
   *   A 43-character URL-safe token for validation, based on the token seed,
   *   the hash salt provided by Settings::getHashSalt(), and the
   *   'drupal_private_key' configuration variable.
   *
   * @see \Drupal\Core\Site\Settings::getHashSalt()
   * @see \Symfony\Component\HttpFoundation\Session\SessionInterface::start()
   */
  public function get($value = '') {
    $seed = $this->sessionMetadata
      ->getCsrfTokenSeed();
    if (empty($seed)) {
      $seed = Crypt::randomBytesBase64();
      $this->sessionMetadata
        ->setCsrfTokenSeed($seed);
    }
    return $this
      ->computeToken($seed, $value);
  }

  /**
   * Validates a token based on $value, the user session, and the private key.
   *
   * @param string $token
   *   The token to be validated.
   * @param string $value
   *   (optional) An additional value to base the token on.
   *
   * @return bool
   *   TRUE for a valid token, FALSE for an invalid token.
   */
  public function validate($token, $value = '') {
    $seed = $this->sessionMetadata
      ->getCsrfTokenSeed();
    if (empty($seed)) {
      return FALSE;
    }
    $value = $this
      ->computeToken($seed, $value);

    // PHP 8.0 strictly typehints for hash_equals. Maintain BC until we can
    // enforce scalar typehints on this method.
    if (!is_string($token)) {
      return FALSE;
    }
    return hash_equals($value, $token);
  }

  /**
   * Generates a token based on $value, the token seed, and the private key.
   *
   * @param string $seed
   *   The per-session token seed.
   * @param string $value
   *   (optional) An additional value to base the token on.
   *
   * @return string
   *   A 43-character URL-safe token for validation, based on the token seed,
   *   the hash salt provided by Settings::getHashSalt(), and the site private
   *   key.
   *
   * @see \Drupal\Core\Site\Settings::getHashSalt()
   */
  protected function computeToken($seed, $value = '') {
    return Crypt::hmacBase64($value, $seed . $this->privateKey
      ->get() . Settings::getHashSalt());
  }

}

Members