main/_abstract_form_protection_8php_source.html

<?php


/*

 * This file is part of the TYPO3 CMS project.

 *

 * It is free software; you can redistribute it and/or modify it under

 * the terms of the GNU General Public License, either version 2

 * of the License, or any later version.

 *

 * For the full copyright and license information, please read the

 * LICENSE.txt file that was distributed with this source code.

 *

 * The TYPO3 project - inspiring people to share!

 */


namespace ‪TYPO3\CMS\Core\FormProtection;


use ‪TYPO3\CMS\Core\Crypto\HashService;

use ‪TYPO3\CMS\Core\Crypto\Random;

use ‪TYPO3\CMS\Core\Security\BlockSerializationTrait;

use ‪TYPO3\CMS\Core\Utility\GeneralUtility;


abstract class ‪AbstractFormProtection

{

    use ‪BlockSerializationTrait;


    protected ‪$validationFailedCallback;


    protected ‪$sessionToken;


    protected function ‪getSessionToken()

    {

        $this->sessionToken = $this->sessionToken ?? $this->‪retrieveSessionToken();

        return ‪$this->sessionToken;

    }


    public function ‪clean()

    {

        $this->sessionToken = '';

        $this->‪persistSessionToken();

    }


    public function ‪generateToken($formName, $action = '', $formInstanceName = '')

    {

        if ($formName == '') {

            throw new \InvalidArgumentException('$formName must not be empty.', 1294586643);

        }

        $hashService = GeneralUtility::makeInstance(HashService::class);

        return $hashService->hmac($formName . $action . $formInstanceName . $this->‪getSessionToken(), self::class);

    }


    public function ‪validateToken($tokenId, $formName, $action = '', $formInstanceName = '')

    {

        $hashService = GeneralUtility::makeInstance(HashService::class);

        $validTokenId = $hashService->hmac(((string)$formName . (string)$action) . (string)$formInstanceName . $this->‪getSessionToken(), self::class);

        if (hash_equals($validTokenId, (string)$tokenId)) {

            $isValid = true;

        } else {

            $isValid = false;

        }

        if (!$isValid) {

            $this->‪createValidationErrorMessage();

        }

        return $isValid;

    }


    protected function ‪generateSessionToken()

    {

        return GeneralUtility::makeInstance(Random::class)->generateRandomHexString(64);

    }


    protected function ‪createValidationErrorMessage()

    {

        if ($this->validationFailedCallback !== null) {

            $this->validationFailedCallback->__invoke();

        }

    }


    abstract protected function ‪retrieveSessionToken();


    abstract public function ‪persistSessionToken();

}