AbstractFormProtection.php

Go to the documentation of this file.

<?php
namespace ‪TYPO3\CMS\Core\FormProtection;
 
/*
 * This file is part of the TYPO3 CMS project.
 *
 * It is free software; you can redistribute it and/or modify it under
 * the terms of the GNU General Public License, either version 2
 * of the License, or any later version.
 *
 * For the full copyright and license information, please read the
 * LICENSE.txt file that was distributed with this source code.
 *
 * The TYPO3 project - inspiring people to share!
 */
 
use ‪TYPO3\CMS\Core\Crypto\Random;
use ‪TYPO3\CMS\Core\Security\BlockSerializationTrait;
use ‪TYPO3\CMS\Core\Utility\GeneralUtility;
 
abstract class ‪AbstractFormProtection
{
    use ‪BlockSerializationTrait;
 
    protected ‪$validationFailedCallback;
 
    protected ‪$sessionToken;
 
    protected function ‪getSessionToken()
    {
        $this->sessionToken = $this->sessionToken ?? $this->‪retrieveSessionToken();
        return ‪$this->sessionToken;
    }
 
    public function ‪__destruct()
    {
        unset($this->sessionToken);
    }
 
    public function ‪clean()
    {
        unset($this->sessionToken);
        $this->‪persistSessionToken();
    }
 
    public function ‪generateToken($formName, $action = '', $formInstanceName = '')
    {
        if ($formName == '') {
            throw new \InvalidArgumentException('$formName must not be empty.', 1294586643);
        }
        $tokenId = GeneralUtility::hmac($formName . $action . $formInstanceName . $this->‪getSessionToken());
        return $tokenId;
    }
 
    public function ‪validateToken($tokenId, $formName, $action = '', $formInstanceName = '')
    {
        $validTokenId = GeneralUtility::hmac(((string)$formName . (string)$action) . (string)$formInstanceName . $this->‪getSessionToken());
        if (hash_equals($validTokenId, (string)$tokenId)) {
            $isValid = true;
        } else {
            $isValid = false;
        }
        if (!$isValid) {
            $this->‪createValidationErrorMessage();
        }
        return $isValid;
    }
 
    protected function ‪generateSessionToken()
    {
        return GeneralUtility::makeInstance(Random::class)->generateRandomHexString(64);
    }
 
    protected function ‪createValidationErrorMessage()
    {
        if ($this->validationFailedCallback !== null) {
            $this->validationFailedCallback->__invoke();
        }
    }
 
    abstract protected function ‪retrieveSessionToken();
 
    abstract public function ‪persistSessionToken();
}