You are here

class RouteProcessorCsrf in Drupal 9

Same name and namespace in other branches
  1. 8 core/lib/Drupal/Core/Access/RouteProcessorCsrf.php \Drupal\Core\Access\RouteProcessorCsrf

Processes the outbound route to handle the CSRF token.

Hierarchy

Expanded class hierarchy of RouteProcessorCsrf

1 file declares its use of RouteProcessorCsrf
RouteProcessorCsrfTest.php in core/tests/Drupal/Tests/Core/Access/RouteProcessorCsrfTest.php
1 string reference to 'RouteProcessorCsrf'
core.services.yml in core/core.services.yml
core/core.services.yml
1 service uses RouteProcessorCsrf
route_processor_csrf in core/core.services.yml
Drupal\Core\Access\RouteProcessorCsrf

File

core/lib/Drupal/Core/Access/RouteProcessorCsrf.php, line 14

Namespace

Drupal\Core\Access
View source
class RouteProcessorCsrf implements OutboundRouteProcessorInterface, TrustedCallbackInterface {

  /**
   * The CSRF token generator.
   *
   * @var \Drupal\Core\Access\CsrfTokenGenerator
   */
  protected $csrfToken;

  /**
   * Constructs a RouteProcessorCsrf object.
   *
   * @param \Drupal\Core\Access\CsrfTokenGenerator $csrf_token
   *   The CSRF token generator.
   */
  public function __construct(CsrfTokenGenerator $csrf_token) {
    $this->csrfToken = $csrf_token;
  }

  /**
   * {@inheritdoc}
   */
  public function processOutbound($route_name, Route $route, array &$parameters, BubbleableMetadata $bubbleable_metadata = NULL) {
    if ($route
      ->hasRequirement('_csrf_token')) {
      $path = ltrim($route
        ->getPath(), '/');

      // Replace the path parameters with values from the parameters array.
      foreach ($parameters as $param => $value) {
        $path = str_replace("{{$param}}", $value, $path);
      }

      // Adding this to the parameters means it will get merged into the query
      // string when the route is compiled.
      if (!$bubbleable_metadata) {
        $parameters['token'] = $this->csrfToken
          ->get($path);
      }
      else {

        // Generate a placeholder and a render array to replace it.
        $placeholder = Crypt::hashBase64($path);
        $placeholder_render_array = [
          '#lazy_builder' => [
            'route_processor_csrf:renderPlaceholderCsrfToken',
            [
              $path,
            ],
          ],
        ];

        // Instead of setting an actual CSRF token as the query string, we set
        // the placeholder, which will be replaced at the very last moment. This
        // ensures links with CSRF tokens don't break cacheability.
        $parameters['token'] = $placeholder;
        $bubbleable_metadata
          ->addAttachments([
          'placeholders' => [
            $placeholder => $placeholder_render_array,
          ],
        ]);
      }
    }
  }

  /**
   * #lazy_builder callback; gets a CSRF token for the given path.
   *
   * @param string $path
   *   The path to get a CSRF token for.
   *
   * @return array
   *   A renderable array representing the CSRF token.
   */
  public function renderPlaceholderCsrfToken($path) {
    return [
      '#markup' => $this->csrfToken
        ->get($path),
      // Tokens are per session.
      '#cache' => [
        'contexts' => [
          'session',
        ],
      ],
    ];
  }

  /**
   * {@inheritdoc}
   */
  public static function trustedCallbacks() {
    return [
      'renderPlaceholderCsrfToken',
    ];
  }

}

Members

Namesort descending Modifiers Type Description Overrides
RouteProcessorCsrf::$csrfToken protected property The CSRF token generator.
RouteProcessorCsrf::processOutbound public function Processes the outbound route. Overrides OutboundRouteProcessorInterface::processOutbound
RouteProcessorCsrf::renderPlaceholderCsrfToken public function #lazy_builder callback; gets a CSRF token for the given path.
RouteProcessorCsrf::trustedCallbacks public static function Lists the trusted callbacks provided by the implementing class. Overrides TrustedCallbackInterface::trustedCallbacks
RouteProcessorCsrf::__construct public function Constructs a RouteProcessorCsrf object.
TrustedCallbackInterface::THROW_EXCEPTION constant Untrusted callbacks throw exceptions.
TrustedCallbackInterface::TRIGGER_SILENCED_DEPRECATION constant Untrusted callbacks trigger silenced E_USER_DEPRECATION errors.
TrustedCallbackInterface::TRIGGER_WARNING constant Untrusted callbacks trigger E_USER_WARNING errors.