You are here

Home » API reference » Services 9.0.x » CSRFTokenAccessCheck.php

class CSRFTokenAccessCheck in Services 9.0.x

Same name and namespace in other branches
  1. 8.4 src/Access/CSRFTokenAccessCheck.php \Drupal\services\Access\CSRFTokenAccessCheck

Class \Drupal\services\Access\CSRFTokenAccessCheck.

Hierarchy

Expanded class hierarchy of CSRFTokenAccessCheck

1 string reference to 'CSRFTokenAccessCheck'
services.services.yml in ./services.services.yml
services.services.yml
1 service uses CSRFTokenAccessCheck
services.csrf_token_access_check in ./services.services.yml
\Drupal\services\Access\CSRFTokenAccessCheck

File

src/Access/CSRFTokenAccessCheck.php, line 15

Namespace

Drupal\services\Access
View source 
class CSRFTokenAccessCheck implements AccessCheckInterface {

  /**
   * The session configuration.
   *
   * @var \Drupal\Core\Session\SessionConfigurationInterface
   */
  protected $sessionConfiguration;

  /**
   * Constructor for \Drupal\services\Access\CSRFTokenAccessCheck.
   */
  public function __construct(SessionConfigurationInterface $session_configuration) {
    $this->sessionConfiguration = $session_configuration;
  }

  /**
   * {@inheritdoc}
   */
  public function applies(Route $route) {
    $requirements = $route
      ->getRequirements();
    if (!isset($requirements['_check_services_csrf'])) {
      return FALSE;
    }
    return $this
      ->hasRestrictedMethod($route
      ->getMethods());
  }

  /**
   * {@inheritdoc}
   */
  public function access(Request $request, AccountInterface $account) {
    if ($account
      ->isAuthenticated() && in_array($request
      ->getMethod(), $this
      ->restrictedMethods()) && $this->sessionConfiguration
      ->hasSession($request)) {
      $csrf_token = $request->headers
        ->get('X-CSRF-Token');
      if (!\Drupal::csrfToken()
        ->validate($csrf_token, 'services')) {
        return AccessResult::forbidden('CSRF validation failed')
          ->setCacheMaxAge(0);
      }
    }
    return AccessResult::allowed()
      ->setCacheMaxAge(0);
  }

  /**
   * Define restricted methods that need a CSRF token.
   *
   * @return array
   *   An array of restricted methods.
   */
  protected function restrictedMethods() {
    return [
      'PUT',
      'POST',
    ];
  }

  /**
   * Determine if the methods are restricted.
   *
   * @param array $methods
   *   An array of HTTP methods.
   *
   * @return bool
   *   Return TRUE if a restricted method was found; otherwise FALSE.
   */
  protected function hasRestrictedMethod(array $methods) {
    foreach ($methods as $method) {
      if (in_array(strtoupper($method), $this
        ->restrictedMethods())) {
        return TRUE;
      }
    }
    return FALSE;
  }

}

Members

Namesort descending Modifiers Type Description Overrides
CSRFTokenAccessCheck::$sessionConfiguration protected property The session configuration.
CSRFTokenAccessCheck::access public function
CSRFTokenAccessCheck::applies public function Declares whether the access check applies to a specific route or not. Overrides AccessCheckInterface::applies
CSRFTokenAccessCheck::hasRestrictedMethod protected function Determine if the methods are restricted.
CSRFTokenAccessCheck::restrictedMethods protected function Define restricted methods that need a CSRF token.
CSRFTokenAccessCheck::__construct public function Constructor for \Drupal\services\Access\CSRFTokenAccessCheck.