src/AppBundle/Listener/CSRFListener.php line 30

Open in your IDE?
  1. <?php
  3. namespace AppBundle\Listener;
  5. use ApiBundle\ApiBundle;
  6. use Symfony\Component\DependencyInjection\ContainerInterface;
  7. use Symfony\Component\HttpFoundation\Response;
  8. use Symfony\Component\HttpKernel\Event\RequestEvent;
  9. use Symfony\Component\HttpKernel\HttpKernelInterface;
  10. use Symfony\Component\Security\Csrf\CsrfToken;
  11. use Symfony\Component\Security\Csrf\CsrfTokenManagerInterface;
  12. use Symfony\Component\Security\Csrf\TokenStorage\NativeSessionTokenStorage;
  13. use Twig\Environment;
  15. class CSRFListener
  16. {
  17.     private $container;
  19.     private $twig;
  21.     private $csrfTokenManager;
  23.     public function __construct(ContainerInterface $containerCsrfTokenManagerInterface $csrfTokenManagerEnvironment $twig)
  24.     {
  25.         $this->container $container;
  26.         $this->csrfTokenManager $csrfTokenManager;
  27.         $this->twig $twig;
  28.     }
  30.     public function onKernelRequest(RequestEvent $event)
  31.     {
  32.         $request $event->getRequest();
  34.         if (HttpKernelInterface::MAIN_REQUEST != $event->getRequestType()) {
  35.             return;
  36.         }
  38.         if ('POST' !== $request->getMethod()) {
  39.             return;
  40.         }
  42.         if (=== stripos($request->getPathInfo(), ApiBundle::API_PREFIX)) {
  43.             return;
  44.         }
  46.         if (=== stripos($request->getPathInfo(), '/mapi')) {
  47.             return;
  48.         }
  50.         if (=== stripos($request->getPathInfo(), '/hls')) {
  51.             return;
  52.         }
  53.         if (=== stripos($request->getPathInfo(), '/callback')) {
  54.             return;
  55.         }
  57.         $whiteList $this->container->hasParameter('route_white_list') ? $this->container->getParameter('route_white_list') : [];
  59.         if (in_array($request->getPathInfo(), $whiteList)) {
  60.             return;
  61.         }
  63.         if ($request->isXmlHttpRequest()) {
  64.             $token $request->headers->get('X-CSRF-Token');
  65.         } else {
  66.             $token $request->request->get('_csrf_token''');
  67.         }
  69.         if (=== stripos($request->getPathInfo(), '/admin/app/package_update/2792/begin_upgrade') || === stripos($request->getPathInfo(), '/admin/app/package_update/check/newest/code/TRAININGMAIN')) {
  70.             $storage = new NativeSessionTokenStorage();
  71.             $newToken = new CsrfToken('site'$token);
  72.             if ($newToken->getValue() == $token) {
  73.                 return;
  74.             }
  75.         }
  76.         $request->request->remove('_csrf_token');
  79.         $isTokenValid $this->csrfTokenManager->isTokenValid(new CsrfToken('site'$token));
  80.         if ($isTokenValid) {
  81.             return;
  82.         }
  84.         $response = new Response($this->twig->render('default/message.html.twig', [
  85.             'type' => 'error',
  86.             'message' => $this->container->get('translator')->trans('页面已过期,请重新提交数据!'),
  87.             'goto' => '',
  88.             'duration' => 0,
  89.         ]), 403);
  91.         $event->setResponse($response);
  92.     }
  93. }