|
| 1 | +<?php |
| 2 | + |
| 3 | +namespace Neuron\Mvc\Security; |
| 4 | + |
| 5 | +use Neuron\Routing\Filter; |
| 6 | +use Neuron\Routing\RouteMap; |
| 7 | +use Neuron\Mvc\Exceptions\CsrfValidationException; |
| 8 | +use Neuron\Log\Log; |
| 9 | + |
| 10 | +/** |
| 11 | + * Framework-level CSRF protection filter. |
| 12 | + * |
| 13 | + * Validates CSRF tokens on state-changing requests (POST, PUT, DELETE, PATCH) |
| 14 | + * to prevent Cross-Site Request Forgery. Register as the 'csrf' route filter |
| 15 | + * and apply via `filters: ['csrf']` on unsafe-method routes. |
| 16 | + * |
| 17 | + * @package Neuron\Mvc\Security |
| 18 | + */ |
| 19 | +class CsrfFilter extends Filter |
| 20 | +{ |
| 21 | + private CsrfToken $_csrfToken; |
| 22 | + |
| 23 | + /** @var list<string> */ |
| 24 | + private array $_exemptMethods = [ 'GET', 'HEAD', 'OPTIONS' ]; |
| 25 | + |
| 26 | + public function __construct( CsrfToken $csrfToken ) |
| 27 | + { |
| 28 | + $this->_csrfToken = $csrfToken; |
| 29 | + |
| 30 | + parent::__construct( |
| 31 | + function( RouteMap $route ) { $this->validateCsrfToken( $route ); }, |
| 32 | + null |
| 33 | + ); |
| 34 | + } |
| 35 | + |
| 36 | + /** |
| 37 | + * Validate the request's CSRF token. |
| 38 | + * |
| 39 | + * @throws CsrfValidationException When the token is missing or invalid |
| 40 | + */ |
| 41 | + protected function validateCsrfToken( RouteMap $route ): void |
| 42 | + { |
| 43 | + $method = $_SERVER[ 'REQUEST_METHOD' ] ?? 'GET'; |
| 44 | + |
| 45 | + if( in_array( strtoupper( $method ), $this->_exemptMethods, true ) ) |
| 46 | + { |
| 47 | + return; |
| 48 | + } |
| 49 | + |
| 50 | + $token = $this->getTokenFromRequest(); |
| 51 | + |
| 52 | + if( !$token ) |
| 53 | + { |
| 54 | + Log::warning( 'CSRF token missing from request' ); |
| 55 | + throw new CsrfValidationException( |
| 56 | + 'CSRF token missing from request', |
| 57 | + 'CSRF token missing' |
| 58 | + ); |
| 59 | + } |
| 60 | + |
| 61 | + if( !$this->_csrfToken->validate( $token ) ) |
| 62 | + { |
| 63 | + Log::warning( 'Invalid CSRF token' ); |
| 64 | + throw new CsrfValidationException( |
| 65 | + 'Invalid CSRF token provided', |
| 66 | + 'Invalid CSRF token' |
| 67 | + ); |
| 68 | + } |
| 69 | + } |
| 70 | + |
| 71 | + /** |
| 72 | + * Extract the CSRF token from the POST body or X-CSRF-Token header. |
| 73 | + */ |
| 74 | + private function getTokenFromRequest(): ?string |
| 75 | + { |
| 76 | + $token = \Neuron\Data\Filters\Post::filterScalar( 'csrf_token' ); |
| 77 | + |
| 78 | + if( $token ) |
| 79 | + { |
| 80 | + return $token; |
| 81 | + } |
| 82 | + |
| 83 | + if( isset( $_SERVER[ 'HTTP_X_CSRF_TOKEN' ] ) ) |
| 84 | + { |
| 85 | + return $_SERVER[ 'HTTP_X_CSRF_TOKEN' ]; |
| 86 | + } |
| 87 | + |
| 88 | + return null; |
| 89 | + } |
| 90 | +} |
0 commit comments