Elgg  Version 4.3
RefreshCsrfToken.php
Go to the documentation of this file.
1 <?php
2 
3 namespace Elgg\Controllers;
4 
6 
13 
21  public function __invoke(\Elgg\Http\Request $request) {
22 
23  _elgg_services()->session->boot();
24 
25  // the page's session_token might have expired (not matching __elgg_session in the session), but
26  // we still allow it to be given to validate the tokens in the page.
27  $session_token = get_input('session_token', null, false);
28  $pairs = (array) get_input('pairs', [], false);
29  $valid_tokens = (object) [];
30 
31  foreach ($pairs as $pair) {
32  list($ts, $token) = explode(',', $pair, 2);
33  if (_elgg_services()->csrf->validateTokenOwnership($token, (int) $ts, $session_token)) {
34  $valid_tokens->{$token} = true;
35  }
36  }
37 
38  $ts = _elgg_services()->csrf->getCurrentTime()->getTimestamp();
39  $token = _elgg_services()->csrf->generateActionToken($ts);
40 
41  $data = [
42  'token' => [
43  '__elgg_ts' => $ts,
44  '__elgg_token' => $token,
45  'logged_in' => _elgg_services()->session->isLoggedIn(),
46  ],
47  'valid_tokens' => $valid_tokens,
48  'session_token' => _elgg_services()->session->get('__elgg_session'),
49  'user_guid' => _elgg_services()->session->getLoggedInUserGuid(),
50  ];
51 
52  $response = new Response();
53  $response->headers->set('Content-Type', "application/json;charset=utf-8", true);
54  $response->headers->set('X-Content-Type-Options', 'nosniff', true);
55 
56  return $response->setContent(json_encode($data));
57  }
58 
59 }
$request
Definition: livesearch.php:11
if(elgg_trigger_plugin_hook('usersettings:save', 'user', $hooks_params, true)) foreach($request->validation() ->all() as $item) $data
Definition: save.php:53
get_input($variable, $default=null, $filter_result=true)
Parameter input functions.
Definition: input.php:20
$token
Handles requests to /refresh_token.
$ts
CSRF security token view for use with secure forms.
Request container.
Definition: Request.php:12
_elgg_services()
Get the global service provider.
Definition: elgglib.php:638
__invoke(\Elgg\Http\Request $request)
Send an updated CSRF token, provided the page&#39;s current tokens were not fake.