Implement and expose a CSRF mitigation

2 files changed, 50 insertions, 1 deletions

diff --git a/app/app.php b/app/app.php
index 64c120a..0797cc7 100755
--- a/app/app.php
+++ b/app/app.php
@@ -29,4 +29,4 @@ if (is_installed()) {
 }
 
 $l10n = new Simplel10n($conf['locale']);
-
+$csrf = new CSRF();
diff --git a/app/classes/CSRF.php b/app/classes/CSRF.php
new file mode 100644
index 0000000..3e23380
--- /dev/null
+++ b/app/classes/CSRF.php
@@ -0,0 +1,49 @@
+<?php
+
+class CSRF
+{
+    /** @var string */
+    const HMAC_ALGORITHM = 'sha1';
+
+    /**
+     * Ensure that a CSRF token is valid for a given action.
+     *
+     * @param  string $token
+     * @param  string $action
+     * @return bool
+     */
+    public static function verify($token = '', $action = null)
+    {
+        if (!is_string($token) || !is_string($action)) {
+            return false;
+        }
+
+        $known = self::generate($action);
+        return hash_equals($known, $token);
+    }
+
+    /**
+     * Generate a CSRF token for a given action.
+     *
+     * @param  string $action
+     * @throws InvalidArgumentException
+     * @return string
+     */
+    public static function generate($action = null)
+    {
+        if (!is_string($action)) {
+            throw InvalidArgumentException('A valid action must be defined.');
+        }
+        return hash_hmac(self::HMAC_ALGORITHM, $action, self::getKey());
+    }
+
+    /**
+     * Get HMAC key.
+     *
+     * @return string
+     */
+    public static function getKey()
+    {
+        return session_id();
+    }
+}