Elgg  Version master
Csrf.php
Go to the documentation of this file.
1 <?php
2 
3 namespace Elgg\Security;
4 
5 use Elgg\Config;
6 use Elgg\Exceptions\Http\CsrfException;
7 use Elgg\Request;
8 use Elgg\Traits\TimeUsing;
9 
13 class Csrf {
14 
15  use TimeUsing;
16 
20  protected $config;
21 
25  protected $session;
26 
30  protected $crypto;
31 
35  protected $hmac;
36 
45  public function __construct(
46  Config $config,
47  \ElggSession $session,
48  Crypto $crypto,
49  HmacFactory $hmac
50  ) {
51 
52  $this->config = $config;
53  $this->session = $session;
54  $this->crypto = $crypto;
55  $this->hmac = $hmac;
56  }
57 
66  public function validate(Request $request) {
67  $token = $request->getParam('__elgg_token');
68  $ts = $request->getParam('__elgg_ts');
69 
70  $session_id = $this->session->getID();
71 
72  if (($token) && ($ts) && ($session_id)) {
73  if ($this->validateTokenOwnership($token, $ts)) {
74  if ($this->validateTokenTimestamp($ts)) {
75  // We have already got this far, so unless anything
76  // else says something to the contrary we assume we're ok
77  $returnval = $request->elgg()->events->triggerResults('action_gatekeeper:permissions:check', 'all', [
78  'token' => $token,
79  'time' => $ts
80  ], true);
81 
82  if ($returnval) {
83  return;
84  } else {
85  throw new CsrfException($request->elgg()->translator->translate('actiongatekeeper:pluginprevents'));
86  }
87  } else {
88  // this is necessary because of #5133
89  if ($request->isXhr()) {
90  throw new CsrfException($request->elgg()->translator->translate(
91  'js:security:token_refresh_failed',
92  [$this->config->wwwroot]
93  ));
94  } else {
95  throw new CsrfException($request->elgg()->translator->translate('actiongatekeeper:timeerror'));
96  }
97  }
98  } else {
99  // this is necessary because of #5133
100  if ($request->isXhr()) {
101  throw new CsrfException($request->elgg()->translator->translate('js:security:token_refresh_failed', [$this->config->wwwroot]));
102  } else {
103  throw new CsrfException($request->elgg()->translator->translate('actiongatekeeper:tokeninvalid'));
104  }
105  }
106  } else {
107  $error_msg = $request->elgg()->translator->translate('actiongatekeeper:missingfields');
108  throw new CsrfException($error_msg);
109  }
110  }
111 
122  public function isValidToken($token, $ts) {
123  return $this->validateTokenOwnership($token, $ts) && $this->validateTokenTimestamp($ts);
124  }
125 
133  protected function validateTokenTimestamp($ts) {
134  $timeout = $this->getActionTokenTimeout();
135  $now = $this->getCurrentTime()->getTimestamp();
136 
137  return ($timeout == 0 || ($ts > $now - $timeout) && ($ts < $now + $timeout));
138  }
139 
149  public function getActionTokenTimeout() {
150  // default to 2 hours
151  $timeout = 2;
152  if ($this->config->hasValue('action_token_timeout')) {
153  // timeout set in config
154  $timeout = $this->config->action_token_timeout;
155  }
156 
157  $hour = 60 * 60;
158 
159  return (int) ((float) $timeout * $hour);
160  }
161 
172  public function validateTokenOwnership($token, $timestamp, $session_token = '') {
173  $required_token = $this->generateActionToken($timestamp, $session_token);
174 
175  return $this->crypto->areEqual($token, $required_token);
176  }
177 
187  public function generateActionToken($timestamp, $session_token = '') {
188  if (!$session_token) {
189  $session_token = $this->session->get('__elgg_session');
190  if (!$session_token) {
191  return false;
192  }
193  }
194 
195  return $this->hmac
196  ->getHmac([(int) $timestamp, $session_token], 'md5')
197  ->getToken();
198  }
199 }
ElggSession
Elgg Session Management.
Definition: ElggSession.php:19
Elgg\Exceptions\Http\CsrfException
Thrown when CSRF tokens mismatch.
Definition: CsrfException.php:10
Elgg\Request
Request container.
Definition: Request.php:12
Elgg\Security\Crypto
Cryptographic services.
Definition: Crypto.php:12
Elgg\Security\Csrf
CSRF Protection.
Definition: Csrf.php:13
Elgg\Security\Csrf\isValidToken
isValidToken($token, $ts)
Basic token validation.
Definition: Csrf.php:122
Elgg\Security\Csrf\generateActionToken
generateActionToken($timestamp, $session_token='')
Generate a token from a session token (specifying the user), the timestamp, and the site key.
Definition: Csrf.php:187
Elgg\Security\Csrf\validate
validate(Request $request)
Validate CSRF tokens present in the request.
Definition: Csrf.php:66
Elgg\Security\Csrf\validateTokenOwnership
validateTokenOwnership($token, $timestamp, $session_token='')
Was the given token generated for the session defined by session_token?
Definition: Csrf.php:172
Elgg\Security\Csrf\getActionTokenTimeout
getActionTokenTimeout()
Returns the action token timeout in seconds.
Definition: Csrf.php:149
Elgg\Security\Csrf\__construct
__construct(Config $config, \ElggSession $session, Crypto $crypto, HmacFactory $hmac)
Constructor.
Definition: Csrf.php:45
Elgg\Security\Csrf\validateTokenTimestamp
validateTokenTimestamp($ts)
Is the token timestamp within acceptable range?
Definition: Csrf.php:133
Elgg\Security\HmacFactory
Provides a factory for HMAC objects.
Definition: HmacFactory.php:10
$timestamp
$timestamp
Definition: date.php:34
$request
$request
Definition: livesearch.php:12
$token
$token
Definition: securitytoken.php:9
$ts
$ts
CSRF security token view for use with secure forms.
Definition: securitytoken.php:8
Generated on Fri Aug 29 2025 00:01:58 for Elgg by doxygen 1.9.1