0

i have some routes in my routes.yml

    # Home page
    adminHomePage:
         path:     /admin
         defaults: { _controller: Themes\Controllers\DashboardController::indexAction }
            loginRoutes:
                resource: "routing/login.yml"

..........and so on..

I need to "append" to all routes CSRF TOKEN param ( key/CSRF_TOKEN ). So my regular route look like:

http://example.com/admin

should be

http://example.com/admin/key/CSRF_TOKEN

But i do not want to edit my yml file, so i think i need to override some php class.

Like Magento do, add secret key to URL for CSRF (Cross-site request forgery) Attack Prevention.

Can you help?

Thanks

Improve this question
3
  • May I ask what problem you are trying to solve by doing this? i.e. what will you use the CSRF_TOKEN for? If there is a form being returned then the form will have the token and it will be in the session. If you are not getting a form then you don't need the token? Commented Apr 1, 2016 at 11:05
  • Like Magento do, add secret key to URL for CSRF (Cross-site request forgery) Attack Prevention. Commented Apr 1, 2016 at 14:28
  • Thanks for the update. It helps me to understand more. Commented Apr 1, 2016 at 14:33

1 Answer 1

Reset to default
1

May be it is not good decision, but it is fast and should work.
You can write custom UrlGenerator that will append token to urls

namespace nnn;

class UrlGenerator extends \Symfony\Component\Routing\Generator\UrlGenerator
{
    protected $csrfToken;

    protected function doGenerate($variables, $defaults, $requirements, $tokens, $parameters, $name, $referenceType, $hostTokens, array $requiredSchemes = array())
    {
        $url = parent::doGenerate($variables, $defaults, $requirements, $tokens, $parameters, $name, $referenceType, $hostTokens, $requiredSchemes);

        if (isset($this->csrfToken)) {
            $url = rtrim($url, '/') . '/key/' . $this->csrfToken;
        }

        return $url;
    }
}

and UrlMatcher that will cut token from urls

namespace nnn;

class RedirectableUrlMatcher extends \Silex\RedirectableUrlMatcher
{
    protected function matchCollection($pathinfo, \Symfony\Component\Routing\RouteCollection $routes)
    {
        $pathinfo = preg_replace('~/key/.+?(/|$)~', '$1', $pathinfo);
        if ($pathinfo == '') $pathinfo = '/';

        return parent::matchCollection($pathinfo, $routes);
    }
}

and configure application

$app['url_generator'] = $app->share(function ($app) {
    $app->flush();

    $urlGenerator = new \nnn\UrlGenerator($app['routes'], $app['request_context']);
    $urlGenerator->setCsrfToken('1234567890');

    return $urlGenerator;
});

$app['url_matcher'] = $app->share(function () use ($app) {
    return new \nnn\RedirectableUrlMatcher($app['routes'], $app['request_context']);
});

$app['dispatcher']->addListener(\Symfony\Component\HttpKernel\KernelEvents::REQUEST, function($event) use ($app) {
    $request = $event->getRequest();
    $path = $request->getPathInfo();
    if (\preg_match('~/key/(.+?)(?:/|$)~', $path, $matches)) {
        $request->attributes->set('_csrfToken', $matches[1]);
    }
}, 1024);

$app->run();

Token will be accessible in controllers through $app['request']->get('_csrfToken')

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.