class RouteProcessorCsrf

Same name in other branches
  1. 9 core/lib/Drupal/Core/Access/RouteProcessorCsrf.php \Drupal\Core\Access\RouteProcessorCsrf
  2. 8.9.x core/lib/Drupal/Core/Access/RouteProcessorCsrf.php \Drupal\Core\Access\RouteProcessorCsrf
  3. 10 core/lib/Drupal/Core/Access/RouteProcessorCsrf.php \Drupal\Core\Access\RouteProcessorCsrf

Processes the outbound route to handle the CSRF token.

Hierarchy

Expanded class hierarchy of RouteProcessorCsrf

1 file declares its use of RouteProcessorCsrf
RouteProcessorCsrfTest.php in core/tests/Drupal/Tests/Core/Access/RouteProcessorCsrfTest.php

File

core/lib/Drupal/Core/Access/RouteProcessorCsrf.php, line 14

Namespace

Drupal\Core\Access
View source
class RouteProcessorCsrf implements OutboundRouteProcessorInterface, TrustedCallbackInterface {
    
    /**
     * The CSRF token generator.
     *
     * @var \Drupal\Core\Access\CsrfTokenGenerator
     */
    protected $csrfToken;
    
    /**
     * Constructs a RouteProcessorCsrf object.
     *
     * @param \Drupal\Core\Access\CsrfTokenGenerator $csrf_token
     *   The CSRF token generator.
     */
    public function __construct(CsrfTokenGenerator $csrf_token) {
        $this->csrfToken = $csrf_token;
    }
    
    /**
     * {@inheritdoc}
     */
    public function processOutbound($route_name, Route $route, array &$parameters, ?BubbleableMetadata $bubbleable_metadata = NULL) {
        if ($route->hasRequirement('_csrf_token')) {
            $path = ltrim($route->getPath(), '/');
            // Replace the path parameters with values from the parameters array.
            foreach ($parameters as $param => $value) {
                $path = str_replace("{{$param}}", $value, $path);
            }
            // Adding this to the parameters means it will get merged into the query
            // string when the route is compiled.
            if (!$bubbleable_metadata) {
                $parameters['token'] = $this->csrfToken
                    ->get($path);
            }
            else {
                // Generate a placeholder and a render array to replace it.
                $placeholder = Crypt::hashBase64($path);
                $placeholder_render_array = [
                    '#lazy_builder' => [
                        'route_processor_csrf:renderPlaceholderCsrfToken',
                        [
                            $path,
                        ],
                    ],
                ];
                // Instead of setting an actual CSRF token as the query string, we set
                // the placeholder, which will be replaced at the very last moment. This
                // ensures links with CSRF tokens don't break cacheability.
                $parameters['token'] = $placeholder;
                $bubbleable_metadata->addAttachments([
                    'placeholders' => [
                        $placeholder => $placeholder_render_array,
                    ],
                ]);
            }
        }
    }
    
    /**
     * #lazy_builder callback; gets a CSRF token for the given path.
     *
     * @param string $path
     *   The path to get a CSRF token for.
     *
     * @return array
     *   A renderable array representing the CSRF token.
     */
    public function renderPlaceholderCsrfToken($path) {
        return [
            '#markup' => $this->csrfToken
                ->get($path),
            // Tokens are per session.
'#cache' => [
                'contexts' => [
                    'session',
                ],
            ],
        ];
    }
    
    /**
     * {@inheritdoc}
     */
    public static function trustedCallbacks() {
        return [
            'renderPlaceholderCsrfToken',
        ];
    }

}

Members

Title Sort descending Modifiers Object type Summary Overriden Title
RouteProcessorCsrf::$csrfToken protected property The CSRF token generator.
RouteProcessorCsrf::processOutbound public function Processes the outbound route. Overrides OutboundRouteProcessorInterface::processOutbound
RouteProcessorCsrf::renderPlaceholderCsrfToken public function #lazy_builder callback; gets a CSRF token for the given path.
RouteProcessorCsrf::trustedCallbacks public static function Lists the trusted callbacks provided by the implementing class. Overrides TrustedCallbackInterface::trustedCallbacks
RouteProcessorCsrf::__construct public function Constructs a RouteProcessorCsrf object.
TrustedCallbackInterface::THROW_EXCEPTION constant Untrusted callbacks throw exceptions.
TrustedCallbackInterface::TRIGGER_SILENCED_DEPRECATION constant Untrusted callbacks trigger silenced E_USER_DEPRECATION errors.

Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.