[Security\Csrf] Split CsrfTokenGenerator into CsrfTokenManager and TokenGeneratorv2.4.0-BETA1

2 files changed, 113 insertions, 0 deletions

diff --git a/Csrf/TokenGenerator/TokenGeneratorInterface.php b/Csrf/TokenGenerator/TokenGeneratorInterface.php
new file mode 100644
index 0000000..4d81da9
--- /dev/null
+++ b/Csrf/TokenGenerator/TokenGeneratorInterface.php
@@ -0,0 +1,40 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Security\Csrf\TokenGenerator;
+
+/**
+ * Generates and validates CSRF tokens.
+ *
+ * You can generate a CSRF token by using the method {@link generateCsrfToken()}.
+ * This method expects a unique token ID as argument. The token ID can later be
+ * used to validate a token provided by the user.
+ *
+ * Token IDs do not necessarily have to be secret, but they should NEVER be
+ * created from data provided by the client. A good practice is to hard-code the
+ * token IDs for the various CSRF tokens used by your application.
+ *
+ * You should use the method {@link isCsrfTokenValid()} to check a CSRF token
+ * submitted by the client. This method will return true if the CSRF token is
+ * valid.
+ *
+ * @since  2.4
+ * @author Bernhard Schussek <bschussek@gmail.com>
+ */
+interface TokenGeneratorInterface
+{
+    /**
+     * Generates a CSRF token.
+     *
+     * @return string The generated CSRF token
+     */
+    public function generateToken();
+}
diff --git a/Csrf/TokenGenerator/UriSafeTokenGenerator.php b/Csrf/TokenGenerator/UriSafeTokenGenerator.php
new file mode 100644
index 0000000..9d24f1c
--- /dev/null
+++ b/Csrf/TokenGenerator/UriSafeTokenGenerator.php
@@ -0,0 +1,73 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Security\Csrf\TokenGenerator;
+
+use Symfony\Component\Security\Core\Util\SecureRandomInterface;
+use Symfony\Component\Security\Core\Util\SecureRandom;
+use Symfony\Component\Security\Core\Util\StringUtils;
+use Symfony\Component\Security\Csrf\TokenStorage\NativeSessionTokenStorage;
+use Symfony\Component\Security\Csrf\TokenStorage\TokenStorageInterface;
+
+/**
+ * Generates CSRF tokens.
+ *
+ * @since  2.4
+ * @author Bernhard Schussek <bernhard.schussek@symfony.com>
+ */
+class UriSafeTokenGenerator implements TokenGeneratorInterface
+{
+    /**
+     * The generator for random values.
+     *
+     * @var SecureRandomInterface
+     */
+    private $random;
+
+    /**
+     * The amount of entropy collected for each token (in bits).
+     *
+     * @var integer
+     */
+    private $entropy;
+
+    /**
+     * Generates URI-safe CSRF tokens.
+     *
+     * @param SecureRandomInterface $random  The random value generator used for
+     *                                       generating entropy
+     * @param integer               $entropy The amount of entropy collected for
+     *                                       each token (in bits)
+     *
+     */
+    public function __construct(SecureRandomInterface $random = null, $entropy = 256)
+    {
+        if (null === $random) {
+            $random = new SecureRandom();
+        }
+
+        $this->random = $random;
+        $this->entropy = $entropy;
+    }
+
+    /**
+     * {@inheritDoc}
+     */
+    public function generateToken()
+    {
+        // Generate an URI safe base64 encoded string that does not contain "+",
+        // "/" or "=" which need to be URL encoded and make URLs unnecessarily
+        // longer.
+        $bytes = $this->random->nextBytes($this->entropy / 8);
+
+        return rtrim(strtr(base64_encode($bytes), '+/', '-_'), '=');
+    }
+}