dsh/slovocast
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add a form key middleware for handling the form key logic

Browse Source
This commit is contained in:
Dave Smith-Hayes 2024-11-29 15:11:59 -05:00
parent 711441c8ef
commit 4a85bcac8c
4 changed files with 24 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
app/src/Controller/User/RegisterUserAction.php
View File

@ -27,6 +27,7 @@ class RegisterUserAction extends Controller
$success = $this->userRepository->create($user);
if ($success) {
$this->session->delete("form_key");
return $this->render('user/success.twig');
} else {
$this->session

8
app/src/Controller/User/RegisterUserPage.php
View File

@ -2,13 +2,19 @@
namespace Slovocast\Controller\User;
use Odan\Session\SessionInterface;
use Psr\Http\Message\ResponseInterface as Response;
use Slovocast\Controller\Controller;
class RegisterUserPage extends Controller
{
public function __construct(
private SessionInterface $session
) { }
public function handle(): Response
{
return $this->render('user/register.twig');
$formKey = $this->session->get("form_key");
return $this->render('user/register.twig', [ 'form_key' => $formKey ]);
}
}

15
app/src/Middleware/FormKeyMiddleware.php
View File

@ -22,6 +22,21 @@ class FormKeyMiddleware implements MiddlewareInterface
$this->session->set("form_key", $uuid->toString());
}
// check if the reuquest is a POST
// check for the form_key value
// return a 403 if the form key does not match
if ($request->getMethod() === "POST") {
$parsedBody = $request->getParsedBody();
$sessionFormKey = $this->session->get('form_key');
if (isset($parsedBody['form_key'])) {
if ($parsedBody['form_key'] === $sessionFormKey) {
$this->session->delete('form_key');
return $handler->handle($request);
}
}
}
return $handler->handle($request);
}
}

1
app/templates/user/register.twig
View File

@ -7,6 +7,7 @@
{% block content %}
<div>
<form action="/register" method="post" id="login-form">
<input name="form_key" type="hidden" value="{{ form_key }}">
<div>
<label for="name">Name<br>
<input name="name" type="text" required>