1 files changed, 55 insertions, 0 deletions

diff --git a/common/app/classes/CSRF.php b/common/app/classes/CSRF.php
new file mode 100644
index 0000000..9a700cf
--- /dev/null
+++ b/common/app/classes/CSRF.php
@@ -0,0 +1,55 @@
+<?php
+
+class CSRF
+{
+    /** @var string */
+    const HMAC_ALGORITHM = 'sha1';
+
+    /** @var string */
+    const SESSION_KEY_NAME = '_csrf_key';
+
+    /**
+     * Ensure that a CSRF token is valid for a given action.
+     *
+     * @param  string $token
+     * @param  string $action
+     * @return bool
+     */
+    public static function verify($token = '', $action = null)
+    {
+        if (!is_string($token) || !is_string($action)) {
+            return false;
+        }
+
+        $known = self::generate($action);
+        return hash_equals($known, $token);
+    }
+
+    /**
+     * Generate a CSRF token for a given action.
+     *
+     * @param  string $action
+     * @throws InvalidArgumentException
+     * @return string
+     */
+    public static function generate($action = null)
+    {
+        if (!is_string($action)) {
+            throw new InvalidArgumentException('A valid action must be defined.');
+        }
+        return hash_hmac(self::HMAC_ALGORITHM, $action, self::getKey());
+    }
+
+    /**
+     * Get HMAC key.
+     *
+     * @return string
+     */
+    public static function getKey()
+    {
+        if (empty($_SESSION[self::SESSION_KEY_NAME])) {
+            $_SESSION[self::SESSION_KEY_NAME] = random_bytes(16);
+        }
+        return $_SESSION[self::SESSION_KEY_NAME];
+    }
+}