Source Code of play.filters.csrf.RequireCSRFCheckAction

/*
 * Copyright (C) 2009-2013 Typesafe Inc. <http://www.typesafe.com>
 */
package play.filters.csrf;


import play.api.mvc.RequestHeader;
import play.api.mvc.Session;
import play.libs.F;
import play.mvc.Action;
import play.mvc.Http;
import play.mvc.Result;
import scala.Option;


public class RequireCSRFCheckAction extends Action<RequireCSRFCheck> {


    private final String tokenName = CSRFConf$.MODULE$.TokenName();
    private final Option<String> cookieName = CSRFConf$.MODULE$.CookieName();
    private final boolean secureCookie = CSRFConf$.MODULE$.SecureCookie();
    private final CSRFAction$ CSRFAction = CSRFAction$.MODULE$;
    private final CSRF.TokenProvider tokenProvider = CSRFConf$.MODULE$.defaultTokenProvider();


    @Override
    public F.Promise<Result> call(Http.Context ctx) throws Throwable {
        RequestHeader request = ctx._requestHeader();
        // Check for bypass
        if (CSRFAction.checkCsrfBypass(request)) {
            return delegate.call(ctx);
        } else {
            // Get token from cookie/session
            Option<String> headerToken = CSRFAction.getTokenFromHeader(request, tokenName, cookieName);
            if (headerToken.isDefined()) {
                String tokenToCheck = null;


                // Get token from query string
                Option<String> queryStringToken = CSRFAction.getTokenFromQueryString(request, tokenName);
                if (queryStringToken.isDefined()) {
                    tokenToCheck = queryStringToken.get();
                } else {


                    // Get token from body
                    if (ctx.request().body().asFormUrlEncoded() != null) {
                        String[] values = ctx.request().body().asFormUrlEncoded().get(tokenName);
                        if (values != null && values.length > 0) {
                            tokenToCheck = values[0];
                        }
                    } else if (ctx.request().body().asMultipartFormData() != null) {
                        String[] values = ctx.request().body().asMultipartFormData().asFormUrlEncoded().get(tokenName);
                        if (values != null && values.length > 0) {
                            tokenToCheck = values[0];
                        }
                    }
                }


                if (tokenToCheck != null) {
                    if (tokenProvider.compareTokens(tokenToCheck, headerToken.get())) {
                        return delegate.call(ctx);
                    } else {
                        return F.Promise.pure(handleTokenError(ctx, request, "CSRF tokens don't match"));
                    }
                } else {
                    return F.Promise.pure(handleTokenError(ctx, request, "CSRF token not found in body or query string"));
                }
            } else {
                return F.Promise.pure(handleTokenError(ctx, request, "CSRF token not found in session"));
            }
        }
    }


    private Result handleTokenError(Http.Context ctx, RequestHeader request, String msg) throws Exception {


        if (CSRF.getToken(request).isEmpty()) {
            if (cookieName.isDefined()) {
                Option<String> domain = Session.domain();
                ctx.response().discardCookie(cookieName.get(), Session.path(),
                        domain.isDefined() ? domain.get() : null, secureCookie);
            } else {
                ctx.session().remove(tokenName);
            }
        }


        CSRFErrorHandler handler = configuration.error().newInstance();
        return handler.handle(msg);
    }
}
Source Code of play.filters.csrf.RequireCSRFCheckAction

Related Classes of play.filters.csrf.RequireCSRFCheckAction
