use PSR-7 for Xsrf

mevdschee · mevdschee · commit ddaca7a4d547 · 2021-04-27T11:09:48.000+02:00
diff --git a/api.include.php b/api.include.php
@@ -9161,13 +9161,14 @@ public function process(ServerRequestInterface $request, RequestHandlerInterface
 
     class XsrfMiddleware extends Middleware
     {
-        private function getToken(): string
+        private function getToken(ServerRequestInterface $request): string
         {
             $cookieName = $this->getProperty('cookieName', 'XSRF-TOKEN');
-            if (isset($_COOKIE[$cookieName])) {
-                $token = $_COOKIE[$cookieName];
+            $cookieParams = $request->getCookieParams();
+            if (isset($cookieParams[$cookieName])) {
+                $token = $cookieParams[$cookieName];
             } else {
-                $secure = isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == 'on';
+                $secure = $request->getUri()->getScheme() == 'https';
                 $token = bin2hex(random_bytes(8));
                 if (!headers_sent()) {
                     setcookie($cookieName, $token, 0, '/', '', $secure);
@@ -9178,7 +9179,7 @@ private function getToken(): string
 
         public function process(ServerRequestInterface $request, RequestHandlerInterface $next): ResponseInterface
         {
-            $token = $this->getToken();
+            $token = $this->getToken($request);
             $method = $request->getMethod();
             $excludeMethods = $this->getArrayProperty('excludeMethods', 'OPTIONS,GET');
             if (!in_array($method, $excludeMethods)) {
diff --git a/api.php b/api.php
@@ -9161,13 +9161,14 @@ public function process(ServerRequestInterface $request, RequestHandlerInterface
 
     class XsrfMiddleware extends Middleware
     {
-        private function getToken(): string
+        private function getToken(ServerRequestInterface $request): string
         {
             $cookieName = $this->getProperty('cookieName', 'XSRF-TOKEN');
-            if (isset($_COOKIE[$cookieName])) {
-                $token = $_COOKIE[$cookieName];
+            $cookieParams = $request->getCookieParams();
+            if (isset($cookieParams[$cookieName])) {
+                $token = $cookieParams[$cookieName];
             } else {
-                $secure = isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == 'on';
+                $secure = $request->getUri()->getScheme() == 'https';
                 $token = bin2hex(random_bytes(8));
                 if (!headers_sent()) {
                     setcookie($cookieName, $token, 0, '/', '', $secure);
@@ -9178,7 +9179,7 @@ private function getToken(): string
 
         public function process(ServerRequestInterface $request, RequestHandlerInterface $next): ResponseInterface
         {
-            $token = $this->getToken();
+            $token = $this->getToken($request);
             $method = $request->getMethod();
             $excludeMethods = $this->getArrayProperty('excludeMethods', 'OPTIONS,GET');
             if (!in_array($method, $excludeMethods)) {
