From 4a85bcac8c9392243ebaacfb0c58c8ae0956abf7 Mon Sep 17 00:00:00 2001 From: Dave Smith-Hayes Date: Fri, 29 Nov 2024 15:11:59 -0500 Subject: [PATCH] Add a form key middleware for handling the form key logic --- app/src/Controller/User/RegisterUserAction.php | 1 + app/src/Controller/User/RegisterUserPage.php | 8 +++++++- app/src/Middleware/FormKeyMiddleware.php | 15 +++++++++++++++ app/templates/user/register.twig | 1 + 4 files changed, 24 insertions(+), 1 deletion(-) diff --git a/app/src/Controller/User/RegisterUserAction.php b/app/src/Controller/User/RegisterUserAction.php index b408c38..005c3ea 100644 --- a/app/src/Controller/User/RegisterUserAction.php +++ b/app/src/Controller/User/RegisterUserAction.php @@ -27,6 +27,7 @@ class RegisterUserAction extends Controller $success = $this->userRepository->create($user); if ($success) { + $this->session->delete("form_key"); return $this->render('user/success.twig'); } else { $this->session diff --git a/app/src/Controller/User/RegisterUserPage.php b/app/src/Controller/User/RegisterUserPage.php index a98d4a7..81a6d29 100644 --- a/app/src/Controller/User/RegisterUserPage.php +++ b/app/src/Controller/User/RegisterUserPage.php @@ -2,13 +2,19 @@ namespace Slovocast\Controller\User; +use Odan\Session\SessionInterface; use Psr\Http\Message\ResponseInterface as Response; use Slovocast\Controller\Controller; class RegisterUserPage extends Controller { + public function __construct( + private SessionInterface $session + ) { } + public function handle(): Response { - return $this->render('user/register.twig'); + $formKey = $this->session->get("form_key"); + return $this->render('user/register.twig', [ 'form_key' => $formKey ]); } } diff --git a/app/src/Middleware/FormKeyMiddleware.php b/app/src/Middleware/FormKeyMiddleware.php index b510d3a..ef822ea 100644 --- a/app/src/Middleware/FormKeyMiddleware.php +++ b/app/src/Middleware/FormKeyMiddleware.php @@ -22,6 +22,21 @@ class FormKeyMiddleware implements MiddlewareInterface $this->session->set("form_key", $uuid->toString()); } + // check if the reuquest is a POST + // check for the form_key value + // return a 403 if the form key does not match + if ($request->getMethod() === "POST") { + $parsedBody = $request->getParsedBody(); + $sessionFormKey = $this->session->get('form_key'); + + if (isset($parsedBody['form_key'])) { + if ($parsedBody['form_key'] === $sessionFormKey) { + $this->session->delete('form_key'); + return $handler->handle($request); + } + } + } + return $handler->handle($request); } } diff --git a/app/templates/user/register.twig b/app/templates/user/register.twig index d677800..7d32891 100644 --- a/app/templates/user/register.twig +++ b/app/templates/user/register.twig @@ -7,6 +7,7 @@ {% block content %}
+