-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathSuperStaticCacheController.php
More file actions
36 lines (29 loc) · 1.15 KB
/
SuperStaticCacheController.php
File metadata and controls
36 lines (29 loc) · 1.15 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
<?php
namespace Statamic\Addons\SuperStaticCache;
use Illuminate\Http\JsonResponse;
use Illuminate\Http\Request;
use Statamic\API\Str;
use Statamic\Exceptions\UrlNotFoundException;
use Statamic\Extend\Extensible;
class SuperStaticCacheController
{
use Extensible;
public function getToken(Request $request)
{
if (!$this->getConfigBool('dynamic_csrf_enabled')) {
throw new UrlNotFoundException();
}
// We only allow ajax requests with our own special header.
if (!$request->isXmlHttpRequest() || !$request->headers->get('Statamic-Addon') === 'SuperStaticCache') {
throw new UrlNotFoundException();
}
// Enhance security a little bit more by checking if the HTTP referer header matches the configured referer host.
// Still, this header could be faked by the client.
$refererHost = $this->getConfig('dynamic_csrf_referer_base_url');
$referer = $request->header('referer');
if ($refererHost && !Str::startsWith($referer, $refererHost)) {
throw new UrlNotFoundException();
}
return new JsonResponse(['token' => csrf_token()]);
}
}