Add CSRF check for task and project files upload

2018-01-29 15:56:30 -08:00
parent 90984d6bb9
commit 9ddefa979a
13 changed files with 71 additions and 13 deletions
--- a/app/Core/Http/Request.php
+++ b/app/Core/Http/Request.php
@@ -111,6 +111,17 @@ class Request extends Base
        return array();
    }

+    /**
+     * Get POST value without modification
+     *
+     * @param  $name
+     * @return mixed|null
+     */
+    public function getRawValue($name)
+    {
+        return isset($this->post[$name]) ? $this->post[$name] : null;
+    }
+
    /**
     * Get the raw body of the HTTP request
     *
--- a/app/Core/Security/Token.php
+++ b/app/Core/Security/Token.php
@@ -25,21 +25,25 @@ class Token extends Base
    }

    /**
-     * Generate and store a CSRF token in the current session
+     * Generate and store a one-time CSRF token
     *
     * @access public
     * @return string  Random token
     */
    public function getCSRFToken()
    {
-        if (! session_exists('csrf')) {
-            session_set('csrf', []);
-        }
+        return $this->createSessionToken('csrf');
+    }

-        $nonce = self::getToken();
-        session_merge('csrf', [$nonce => true]);
-
-        return $nonce;
+    /**
+     * Generate and store a reusable CSRF token
+     *
+     * @access public
+     * @return string
+     */
+    public function getReusableCSRFToken()
+    {
+        return $this->createSessionToken('pcsrf');
    }

    /**
@@ -60,4 +64,26 @@ class Token extends Base

        return false;
    }
+
+    public function validateReusableCSRFToken($token)
+    {
+        $tokens = session_get('pcsrf');
+        if (isset($tokens[$token])) {
+            return true;
+        }
+
+        return false;
+    }
+
+    protected function createSessionToken($key)
+    {
+        if (! session_exists($key)) {
+            session_set($key, []);
+        }
+
+        $nonce = self::getToken();
+        session_merge($key, [$nonce => true]);
+
+        return $nonce;
+    }
 }