MediaWiki  master
CsrfTokenSet.php
Go to the documentation of this file.
1 <?php
21 namespace MediaWiki\Session;
22 
24 use WebRequest;
25 
31 class CsrfTokenSet {
32 
36  public const DEFAULT_FIELD_NAME = 'wpEditToken';
37 
41  private $request;
42 
46  public function __construct( WebRequest $request ) {
47  $this->request = $request;
48  }
49 
62  public function getToken( $salt = '' ): Token {
63  $session = $this->request->getSession();
64  if ( !$session->getUser()->isRegistered() ) {
65  return new LoggedOutEditToken();
66  }
67  return $session->getToken( $salt );
68  }
69 
80  public function matchTokenField(
81  string $fieldName = self::DEFAULT_FIELD_NAME,
82  $salt = ''
83  ): bool {
84  return $this->matchToken( $this->request->getVal( $fieldName ), $salt );
85  }
86 
97  public function matchToken(
98  ?string $value,
99  $salt = ''
100  ): bool {
101  if ( !$value ) {
102  return false;
103  }
104  $session = $this->request->getSession();
105  // It's expensive to generate a new registered user token, so take a shortcut.
106  // Anon tokens are cheap and all the same, so we can afford to generate one just to match.
107  if ( $session->getUser()->isRegistered() && !$session->hasToken() ) {
108  return false;
109  }
110  return $this->getToken( $salt )->match( $value );
111  }
112 }
MediaWiki\Session\CsrfTokenSet\matchTokenField
matchTokenField(string $fieldName=self::DEFAULT_FIELD_NAME, $salt='')
Check if a request contains a value named $valueName with the token value stored in the session.
Definition: CsrfTokenSet.php:80
LoggedOutEditToken
Value object representing a logged-out user's edit token.
Definition: LoggedOutEditToken.php:37
MediaWiki\Session
Definition: BotPasswordSessionProvider.php:24
MediaWiki\Session\CsrfTokenSet
Definition: CsrfTokenSet.php:31
MediaWiki\Session\CsrfTokenSet\getToken
getToken( $salt='')
Initialize (if necessary) and return a current user CSRF token value which can be used in edit forms ...
Definition: CsrfTokenSet.php:62
WebRequest
The WebRequest class encapsulates getting at data passed in the URL or via a POSTed form stripping il...
Definition: WebRequest.php:43
MediaWiki\Session\CsrfTokenSet\matchToken
matchToken(?string $value, $salt='')
Check if a value matches with the token value stored in the session.
Definition: CsrfTokenSet.php:97
MediaWiki\Session\CsrfTokenSet\__construct
__construct(WebRequest $request)
Definition: CsrfTokenSet.php:46
MediaWiki\Session\Token
Value object representing a CSRF token.
Definition: Token.php:32
MediaWiki\Session\CsrfTokenSet\$request
WebRequest $request
Definition: CsrfTokenSet.php:33