CsrfTokenManager.php 2.7 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108
  1. <?php
  2. declare(strict_types=1);
  3. /**
  4. * @copyright Copyright (c) 2016, ownCloud, Inc.
  5. *
  6. * @author Lukas Reschke <lukas@statuscode.ch>
  7. *
  8. * @license AGPL-3.0
  9. *
  10. * This code is free software: you can redistribute it and/or modify
  11. * it under the terms of the GNU Affero General Public License, version 3,
  12. * as published by the Free Software Foundation.
  13. *
  14. * This program is distributed in the hope that it will be useful,
  15. * but WITHOUT ANY WARRANTY; without even the implied warranty of
  16. * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  17. * GNU Affero General Public License for more details.
  18. *
  19. * You should have received a copy of the GNU Affero General Public License, version 3,
  20. * along with this program. If not, see <http://www.gnu.org/licenses/>
  21. *
  22. */
  23. namespace OC\Security\CSRF;
  24. use OC\Security\CSRF\TokenStorage\SessionStorage;
  25. /**
  26. * Class CsrfTokenManager is the manager for all CSRF token related activities.
  27. *
  28. * @package OC\Security\CSRF
  29. */
  30. class CsrfTokenManager {
  31. /** @var CsrfTokenGenerator */
  32. private $tokenGenerator;
  33. /** @var SessionStorage */
  34. private $sessionStorage;
  35. /** @var CsrfToken|null */
  36. private $csrfToken = null;
  37. /**
  38. * @param CsrfTokenGenerator $tokenGenerator
  39. * @param SessionStorage $storageInterface
  40. */
  41. public function __construct(CsrfTokenGenerator $tokenGenerator,
  42. SessionStorage $storageInterface) {
  43. $this->tokenGenerator = $tokenGenerator;
  44. $this->sessionStorage = $storageInterface;
  45. }
  46. /**
  47. * Returns the current CSRF token, if none set it will create a new one.
  48. *
  49. * @return CsrfToken
  50. */
  51. public function getToken(): CsrfToken {
  52. if(!\is_null($this->csrfToken)) {
  53. return $this->csrfToken;
  54. }
  55. if($this->sessionStorage->hasToken()) {
  56. $value = $this->sessionStorage->getToken();
  57. } else {
  58. $value = $this->tokenGenerator->generateToken();
  59. $this->sessionStorage->setToken($value);
  60. }
  61. $this->csrfToken = new CsrfToken($value);
  62. return $this->csrfToken;
  63. }
  64. /**
  65. * Invalidates any current token and sets a new one.
  66. *
  67. * @return CsrfToken
  68. */
  69. public function refreshToken(): CsrfToken {
  70. $value = $this->tokenGenerator->generateToken();
  71. $this->sessionStorage->setToken($value);
  72. $this->csrfToken = new CsrfToken($value);
  73. return $this->csrfToken;
  74. }
  75. /**
  76. * Remove the current token from the storage.
  77. */
  78. public function removeToken() {
  79. $this->csrfToken = null;
  80. $this->sessionStorage->removeToken();
  81. }
  82. /**
  83. * Verifies whether the provided token is valid.
  84. *
  85. * @param CsrfToken $token
  86. * @return bool
  87. */
  88. public function isTokenValid(CsrfToken $token): bool {
  89. if(!$this->sessionStorage->hasToken()) {
  90. return false;
  91. }
  92. return hash_equals(
  93. $this->sessionStorage->getToken(),
  94. $token->getDecryptedValue()
  95. );
  96. }
  97. }