Code Coverage |
||||||||||
Classes and Traits |
Functions and Methods |
Lines |
||||||||
| Total | |
0.00% |
0 / 1 |
|
25.00% |
1 / 4 |
CRAP | |
61.54% |
8 / 13 |
| CsrfTokenGenerator | |
0.00% |
0 / 1 |
|
25.00% |
1 / 4 |
8.05 | |
61.54% |
8 / 13 |
| __construct | |
0.00% |
0 / 1 |
2 | |
0.00% |
0 / 3 |
|||
| get | |
100.00% |
1 / 1 |
2 | |
100.00% |
5 / 5 |
|||
| validate | |
0.00% |
0 / 1 |
2.06 | |
75.00% |
3 / 4 |
|||
| computeToken | |
0.00% |
0 / 1 |
2 | |
0.00% |
0 / 1 |
|||
| <?php | |
| /** | |
| * @file | |
| * Contains \Drupal\Core\Access\CsrfTokenGenerator. | |
| */ | |
| namespace Drupal\Core\Access; | |
| use Drupal\Component\Utility\Crypt; | |
| use Drupal\Core\PrivateKey; | |
| use Drupal\Core\Session\MetadataBag; | |
| use Drupal\Core\Site\Settings; | |
| /** | |
| * Generates and validates CSRF tokens. | |
| * | |
| * @see \Drupal\Tests\Core\Access\CsrfTokenGeneratorTest | |
| */ | |
| class CsrfTokenGenerator { | |
| /** | |
| * The private key service. | |
| * | |
| * @var \Drupal\Core\PrivateKey | |
| */ | |
| protected $privateKey; | |
| /** | |
| * The session metadata bag. | |
| * | |
| * @var \Drupal\Core\Session\MetadataBag | |
| */ | |
| protected $sessionMetadata; | |
| /** | |
| * Constructs the token generator. | |
| * | |
| * @param \Drupal\Core\PrivateKey $private_key | |
| * The private key service. | |
| * @param \Drupal\Core\Session\MetadataBag $session_metadata | |
| * The session metadata bag. | |
| */ | |
| public function __construct(PrivateKey $private_key, MetadataBag $session_metadata) { | |
| $this->privateKey = $private_key; | |
| $this->sessionMetadata = $session_metadata; | |
| } | |
| /** | |
| * Generates a token based on $value, the user session, and the private key. | |
| * | |
| * The generated token is based on the session of the current user. Normally, | |
| * anonymous users do not have a session, so the generated token will be | |
| * different on every page request. To generate a token for users without a | |
| * session, manually start a session prior to calling this function. | |
| * | |
| * @param string $value | |
| * (optional) An additional value to base the token on. | |
| * | |
| * @return string | |
| * A 43-character URL-safe token for validation, based on the token seed, | |
| * the hash salt provided by Settings::getHashSalt(), and the | |
| * 'drupal_private_key' configuration variable. | |
| * | |
| * @see \Drupal\Core\Site\Settings::getHashSalt() | |
| * @see \Symfony\Component\HttpFoundation\Session\SessionInterface::start() | |
| */ | |
| public function get($value = '') { | |
| $seed = $this->sessionMetadata->getCsrfTokenSeed(); | |
| if (empty($seed)) { | |
| $seed = Crypt::randomBytesBase64(); | |
| $this->sessionMetadata->setCsrfTokenSeed($seed); | |
| } | |
| return $this->computeToken($seed, $value); | |
| } | |
| /** | |
| * Validates a token based on $value, the user session, and the private key. | |
| * | |
| * @param string $token | |
| * The token to be validated. | |
| * @param string $value | |
| * (optional) An additional value to base the token on. | |
| * | |
| * @return bool | |
| * TRUE for a valid token, FALSE for an invalid token. | |
| */ | |
| public function validate($token, $value = '') { | |
| $seed = $this->sessionMetadata->getCsrfTokenSeed(); | |
| if (empty($seed)) { | |
| return FALSE; | |
| } | |
| return $token === $this->computeToken($seed, $value); | |
| } | |
| /** | |
| * Generates a token based on $value, the token seed, and the private key. | |
| * | |
| * @param string $seed | |
| * The per-session token seed. | |
| * @param string $value | |
| * (optional) An additional value to base the token on. | |
| * | |
| * @return string | |
| * A 43-character URL-safe token for validation, based on the token seed, | |
| * the hash salt provided by Settings::getHashSalt(), and the | |
| * 'drupal_private_key' configuration variable. | |
| * | |
| * @see \Drupal\Core\Site\Settings::getHashSalt() | |
| */ | |
| protected function computeToken($seed, $value = '') { | |
| return Crypt::hmacBase64($value, $seed . $this->privateKey->get() . Settings::getHashSalt()); | |
| } | |
| } |