将CSRF TOKEN参数添加到symfony路由

时间:2016-03-31 22:02:06

标签: php symfony routes csrf silex

我的routes.yml中有一些路线

    # Home page
    adminHomePage:
         path:     /admin
         defaults: { _controller: Themes\Controllers\DashboardController::indexAction }
            loginRoutes:
                resource: "routing/login.yml"

..........and so on..

我需要“追加”所有路线CSRF TOKEN param(键/ CSRF_TOKEN)。 所以我的常规路线看起来像:

http://example.com/admin

应该是

http://example.com/admin/key/CSRF_TOKEN

但我不想编辑我的yml文件,所以我想我需要覆盖一些php类。

Like Magento do, add secret key to URL for CSRF (Cross-site request forgery) Attack Prevention.

你能帮忙吗?

由于

1 个答案:

答案 0 :(得分:1)

可能这不是一个好的决定,但它很快并且应该有效 您可以编写自定义UrlGenerator,将令牌附加到网址

namespace nnn;

class UrlGenerator extends \Symfony\Component\Routing\Generator\UrlGenerator
{
    protected $csrfToken;

    protected function doGenerate($variables, $defaults, $requirements, $tokens, $parameters, $name, $referenceType, $hostTokens, array $requiredSchemes = array())
    {
        $url = parent::doGenerate($variables, $defaults, $requirements, $tokens, $parameters, $name, $referenceType, $hostTokens, $requiredSchemes);

        if (isset($this->csrfToken)) {
            $url = rtrim($url, '/') . '/key/' . $this->csrfToken;
        }

        return $url;
    }
}

UrlMatcher将从网址中删除令牌

namespace nnn;

class RedirectableUrlMatcher extends \Silex\RedirectableUrlMatcher
{
    protected function matchCollection($pathinfo, \Symfony\Component\Routing\RouteCollection $routes)
    {
        $pathinfo = preg_replace('~/key/.+?(/|$)~', '$1', $pathinfo);
        if ($pathinfo == '') $pathinfo = '/';

        return parent::matchCollection($pathinfo, $routes);
    }
}

并配置应用程序

$app['url_generator'] = $app->share(function ($app) {
    $app->flush();

    $urlGenerator = new \nnn\UrlGenerator($app['routes'], $app['request_context']);
    $urlGenerator->setCsrfToken('1234567890');

    return $urlGenerator;
});

$app['url_matcher'] = $app->share(function () use ($app) {
    return new \nnn\RedirectableUrlMatcher($app['routes'], $app['request_context']);
});

$app['dispatcher']->addListener(\Symfony\Component\HttpKernel\KernelEvents::REQUEST, function($event) use ($app) {
    $request = $event->getRequest();
    $path = $request->getPathInfo();
    if (\preg_match('~/key/(.+?)(?:/|$)~', $path, $matches)) {
        $request->attributes->set('_csrfToken', $matches[1]);
    }
}, 1024);

$app->run();

可以通过$app['request']->get('_csrfToken')

在控制器中访问令牌
相关问题
最新问题