vendor/shopware/storefront/Framework/Csrf/CsrfPlaceholderHandler.php line 49

Open in your IDE?
  1. <?php declare(strict_types=1);
  3. namespace Shopware\Storefront\Framework\Csrf;
  5. use Shopware\Core\Framework\Feature;
  6. use Shopware\Core\Framework\Log\Package;
  7. use Symfony\Component\HttpFoundation\Cookie;
  8. use Symfony\Component\HttpFoundation\Request;
  9. use Symfony\Component\HttpFoundation\RequestStack;
  10. use Symfony\Component\HttpFoundation\Response;
  11. use Symfony\Component\HttpFoundation\Session\Session;
  12. use Symfony\Component\HttpFoundation\Session\SessionInterface;
  13. use Symfony\Component\HttpFoundation\Session\Storage\SessionStorageFactoryInterface;
  14. use Symfony\Component\HttpFoundation\StreamedResponse;
  15. use Symfony\Component\Security\Csrf\CsrfTokenManagerInterface;
  17. /**
  18. * @deprecated tag:v6.5.0 - class will be removed as the csrf system will be removed in favor for the samesite approach
  19. */
  20. #[Package('storefront')]
  21. class CsrfPlaceholderHandler
  22. {
  23. public const CSRF_PLACEHOLDER = 'ef08e89e9bbf5bb124393.NPAhs6gyXLkBbi0chNtOp8VJFVwrn2xXLJ6HG84-8PE.AcERgtlXMeZVNxVD8bYGk5ojJjJjqgA_Q_3dcJF3wIYEn1uAnVoQjVUMZA007700">;
  25. private CsrfTokenManagerInterface $csrfTokenManager;
  27. private bool $csrfEnabled;
  29. private string $csrfMode;
  31. private RequestStack $requestStack;
  33. private SessionStorageFactoryInterface $sessionFactory;
  35. /**
  36. * @internal
  37. */
  38. public function __construct(CsrfTokenManagerInterface $csrfTokenManager, bool $csrfEnabled, string $csrfMode, RequestStack $requestStack, SessionStorageFactoryInterface $sessionFactory)
  39. {
  40. $this->csrfTokenManager = $csrfTokenManager;
  41. $this->csrfEnabled = $csrfEnabled;
  42. $this->csrfMode = $csrfMode;
  43. $this->requestStack = $requestStack;
  44. $this->sessionFactory = $sessionFactory;
  45. }
  47. public function replaceCsrfToken(Response $response, Request $request): Response
  48. {
  49. Feature::triggerDeprecationOrThrow(
  50. 'v6.5.0.0',
  51. Feature::deprecatedClassMessage(__CLASS__, 'v6.5.0.0')
  52. );
  54. if ($response instanceof StreamedResponse) {
  55. return $response;
  56. }
  58. if (!$this->csrfEnabled || $this->csrfMode !== CsrfModes::MODE_TWIG) {
  59. return $response;
  60. }
  62. if ($response->getStatusCode() !== Response::HTTP_OK && $response->getStatusCode() !== Response::HTTP_NOT_FOUND) {
  63. return $response;
  64. }
  66. $content = $response->getContent();
  68. if ($content === false) {
  69. return $response;
  70. }
  72. // Early return if the placeholder is not present in body to save cpu cycles with the regex
  73. if (!\str_contains($content, self::CSRF_PLACEHOLDER)) {
  74. return $response;
  75. }
  77. // Get session from session provider if not provided in session. This happens when the page is fully cached
  78. $session = $request->hasSession() ? $request->getSession() : $this->createSession($request);
  79. $request->setSession($session);
  81. if ($session !== null) {
  82. // StorefrontSubscriber did not run and set the session name. This can happen when the page is fully cached in the http cache
  83. if (!$session->isStarted()) {
  84. $session->setName('session-');
  85. }
  87. // The SessionTokenStorage gets the session from the RequestStack. This is at this moment empty as the Symfony request cycle did run already
  88. $this->requestStack->push($request);
  89. }
  91. $processedIntents = [];
  93. // https://regex101.com/r/fefx3V/1
  94. $content = preg_replace_callback(
  95. '/' . self::CSRF_PLACEHOLDER . '(?<intent>[^#]*)#/',
  96. function ($matches) use ($response, $request, &$processedIntents) {
  97. $intent = $matches['intent'];
  98. $token = $processedIntents[$intent] ?? null;
  100. // Don't generate the token and set the cookie again
  101. if ($token === null) {
  102. $token = $this->getToken($intent);
  103. $cookie = Cookie::create('csrf[' . $intent . ']', $token);
  104. $cookie->setSecureDefault($request->isSecure());
  105. $response->headers->setCookie($cookie);
  106. $processedIntents[$intent] = $token;
  107. }
  109. return $token;
  110. },
  111. $content
  112. );
  114. $response->setContent($content);
  116. if ($session !== null) {
  117. // Pop out the request injected some lines above. This is important for long running applications with roadrunner or swoole
  118. $this->requestStack->pop();
  119. }
  121. return $response;
  122. }
  124. private function getToken(string $intent): string
  125. {
  126. return $this->csrfTokenManager->getToken($intent)->getValue();
  127. }
  129. private function createSession(Request $request): SessionInterface
  130. {
  131. $session = new Session($this->sessionFactory->createStorage($request));
  132. $session->setName('session-');
  133. $request->setSession($session);
  135. return $session;
  136. }
  137. }