Add a form key middleware for handling the form key logic
This commit is contained in:
parent
711441c8ef
commit
4a85bcac8c
@ -27,6 +27,7 @@ class RegisterUserAction extends Controller
|
|||||||
$success = $this->userRepository->create($user);
|
$success = $this->userRepository->create($user);
|
||||||
|
|
||||||
if ($success) {
|
if ($success) {
|
||||||
|
$this->session->delete("form_key");
|
||||||
return $this->render('user/success.twig');
|
return $this->render('user/success.twig');
|
||||||
} else {
|
} else {
|
||||||
$this->session
|
$this->session
|
||||||
|
|||||||
@ -2,13 +2,19 @@
|
|||||||
|
|
||||||
namespace Slovocast\Controller\User;
|
namespace Slovocast\Controller\User;
|
||||||
|
|
||||||
|
use Odan\Session\SessionInterface;
|
||||||
use Psr\Http\Message\ResponseInterface as Response;
|
use Psr\Http\Message\ResponseInterface as Response;
|
||||||
use Slovocast\Controller\Controller;
|
use Slovocast\Controller\Controller;
|
||||||
|
|
||||||
class RegisterUserPage extends Controller
|
class RegisterUserPage extends Controller
|
||||||
{
|
{
|
||||||
|
public function __construct(
|
||||||
|
private SessionInterface $session
|
||||||
|
) { }
|
||||||
|
|
||||||
public function handle(): Response
|
public function handle(): Response
|
||||||
{
|
{
|
||||||
return $this->render('user/register.twig');
|
$formKey = $this->session->get("form_key");
|
||||||
|
return $this->render('user/register.twig', [ 'form_key' => $formKey ]);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@ -22,6 +22,21 @@ class FormKeyMiddleware implements MiddlewareInterface
|
|||||||
$this->session->set("form_key", $uuid->toString());
|
$this->session->set("form_key", $uuid->toString());
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// check if the reuquest is a POST
|
||||||
|
// check for the form_key value
|
||||||
|
// return a 403 if the form key does not match
|
||||||
|
if ($request->getMethod() === "POST") {
|
||||||
|
$parsedBody = $request->getParsedBody();
|
||||||
|
$sessionFormKey = $this->session->get('form_key');
|
||||||
|
|
||||||
|
if (isset($parsedBody['form_key'])) {
|
||||||
|
if ($parsedBody['form_key'] === $sessionFormKey) {
|
||||||
|
$this->session->delete('form_key');
|
||||||
|
return $handler->handle($request);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
return $handler->handle($request);
|
return $handler->handle($request);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@ -7,6 +7,7 @@
|
|||||||
{% block content %}
|
{% block content %}
|
||||||
<div>
|
<div>
|
||||||
<form action="/register" method="post" id="login-form">
|
<form action="/register" method="post" id="login-form">
|
||||||
|
<input name="form_key" type="hidden" value="{{ form_key }}">
|
||||||
<div>
|
<div>
|
||||||
<label for="name">Name<br>
|
<label for="name">Name<br>
|
||||||
<input name="name" type="text" required>
|
<input name="name" type="text" required>
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user