36 lines
975 B
PHP
36 lines
975 B
PHP
<?php
|
|
|
|
class CSRFHelper {
|
|
|
|
const TOKEN_NAME = 'csrf_token';
|
|
|
|
public static function token():string {
|
|
$f3 = \Base::instance();
|
|
if(!$f3->exists('SESSION.' . self::TOKEN_NAME)) {
|
|
$token = bin2hex(random_bytes(32));
|
|
$f3->set('SESSION.' . self::TOKEN_NAME, $token);
|
|
}
|
|
return $f3->get('SESSION.' . self::TOKEN_NAME);
|
|
}
|
|
|
|
public static function verify(?string $submitted_token): bool {
|
|
$f3 = \Base::instance();
|
|
$session_token = $f3->get('SESSION.' . self::TOKEN_NAME);
|
|
|
|
if(empty($submitted_token) || empty($session_token)){
|
|
return false;
|
|
}
|
|
|
|
if(hash_equals($session_token, $submitted_token)){
|
|
$f3->clear('SESSION.' . self::TOKEN_NAME);
|
|
return true;
|
|
}
|
|
|
|
return false;
|
|
}
|
|
|
|
public static function field(): string {
|
|
return '<input type="hidden" name="'.self::TOKEN_NAME.'" value="'.self::token().'">';
|
|
}
|
|
|
|
} |