A lot of things
This commit is contained in:
@@ -195,9 +195,9 @@ class XenforoService {
|
||||
|
||||
}
|
||||
|
||||
private function hashCSRFToken( string $token ): string
|
||||
private function hashCSRFToken( string $token, int $timestamp ): string
|
||||
{
|
||||
return hash_hmac('md5', $token . time(), config('app.xf_salt') );
|
||||
return hash_hmac('md5', $token . $timestamp, config('app.xf_salt') );
|
||||
}
|
||||
public function getCSRFToken(): string
|
||||
{
|
||||
@@ -207,6 +207,28 @@ class XenforoService {
|
||||
Cookie::queue('xf_csrf', $token, 0, '/', config('session.domain'), 0, false, false );
|
||||
}
|
||||
|
||||
return time() . ',' . $this->hashCSRFToken($token);
|
||||
$timestamp = time();
|
||||
return $timestamp . ',' . $this->hashCSRFToken($token, $timestamp);
|
||||
}
|
||||
public function verifyCSRFToken( string $requestToken ): bool
|
||||
{
|
||||
$token = Cookie::get('xf_csrf');
|
||||
if( !$token ){
|
||||
return false;
|
||||
}
|
||||
|
||||
try {
|
||||
[$timestamp, $hash] = explode(',', $requestToken);
|
||||
} catch (\Throwable $th) {
|
||||
return false;
|
||||
}
|
||||
|
||||
$timestamp = intval($timestamp);
|
||||
$currentTimestamp = time();
|
||||
|
||||
if( abs( $currentTimestamp - $timestamp ) > 3600 )
|
||||
return false;
|
||||
|
||||
return $hash === $this->hashCSRFToken($token, $timestamp);
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user