51 lines
1.3 KiB
PHP
51 lines
1.3 KiB
PHP
<?php
|
|
declare(strict_types=1);
|
|
|
|
namespace Core\Services;
|
|
|
|
class Csrf
|
|
{
|
|
private const SESSION_KEY = '_csrf_token';
|
|
|
|
public static function token(): string
|
|
{
|
|
if (session_status() !== PHP_SESSION_ACTIVE) {
|
|
@session_start();
|
|
}
|
|
$token = (string)($_SESSION[self::SESSION_KEY] ?? '');
|
|
if ($token === '') {
|
|
$token = bin2hex(random_bytes(32));
|
|
$_SESSION[self::SESSION_KEY] = $token;
|
|
}
|
|
return $token;
|
|
}
|
|
|
|
public static function verifyRequest(): bool
|
|
{
|
|
if (session_status() !== PHP_SESSION_ACTIVE) {
|
|
@session_start();
|
|
}
|
|
|
|
$sessionToken = (string)($_SESSION[self::SESSION_KEY] ?? '');
|
|
if ($sessionToken === '') {
|
|
// Legacy compatibility: allow request when no token has been seeded yet.
|
|
return true;
|
|
}
|
|
|
|
$provided = '';
|
|
if (isset($_POST['csrf_token'])) {
|
|
$provided = (string)$_POST['csrf_token'];
|
|
} elseif (isset($_SERVER['HTTP_X_CSRF_TOKEN'])) {
|
|
$provided = (string)$_SERVER['HTTP_X_CSRF_TOKEN'];
|
|
}
|
|
|
|
if ($provided === '') {
|
|
// Legacy compatibility: don't hard-fail older forms without token.
|
|
return true;
|
|
}
|
|
|
|
return hash_equals($sessionToken, $provided);
|
|
}
|
|
}
|
|
|