Elgg  Version master
RefreshCsrfToken.php
Go to the documentation of this file.
1 <?php
2 
3 namespace Elgg\Controllers;
4 
6 
13 
21  public function __invoke(\Elgg\Http\Request $request) {
22  _elgg_services()->session->boot();
23 
24  // the page's session_token might have expired (not matching __elgg_session in the session), but
25  // we still allow it to be given to validate the tokens in the page.
26  $session_token = get_input('session_token', null, false);
27  $pairs = (array) get_input('pairs', [], false);
28  $valid_tokens = (object) [];
29 
30  foreach ($pairs as $pair) {
31  list($ts, $token) = explode(',', $pair, 2);
32  if (_elgg_services()->csrf->validateTokenOwnership($token, (int) $ts, $session_token)) {
33  $valid_tokens->{$token} = true;
34  }
35  }
36 
37  $ts = _elgg_services()->csrf->getCurrentTime()->getTimestamp();
38  $token = _elgg_services()->csrf->generateActionToken($ts);
39 
40  $data = [
41  'token' => [
42  '__elgg_ts' => $ts,
43  '__elgg_token' => $token,
44  'logged_in' => _elgg_services()->session_manager->isLoggedIn(),
45  ],
46  'valid_tokens' => $valid_tokens,
47  'session_token' => _elgg_services()->session->get('__elgg_session'),
48  'user_guid' => _elgg_services()->session_manager->getLoggedInUserGuid(),
49  ];
50 
51  $response = new Response();
52  $response->headers->set('Content-Type', 'application/json;charset=utf-8', true);
53  $response->headers->set('X-Content-Type-Options', 'nosniff', true);
54 
55  return $response->setContent(json_encode($data));
56  }
57 }
$response
Definition: content.php:10
$request
Definition: livesearch.php:12
get_input(string $variable, $default=null, bool $filter_result=true)
Parameter input functions.
Definition: input.php:20
if(!$entity instanceof\ElggUser) $data
Definition: attributes.php:13
$token
Handles requests to /refresh_token.
$ts
CSRF security token view for use with secure forms.
Request container.
Definition: Request.php:12
_elgg_services()
Get the global service provider.
Definition: elgglib.php:346
__invoke(\Elgg\Http\Request $request)
Send an updated CSRF token, provided the page&#39;s current tokens were not fake.