diff --git a/core/core.services.yml b/core/core.services.yml index 1ee07fe..3dd2765 100644 --- a/core/core.services.yml +++ b/core/core.services.yml @@ -1100,6 +1100,11 @@ services: tags: - { name: access_check, applies_to: _csrf_token, needs_incoming_request: TRUE } arguments: ['@csrf_token'] + access_check.header.csrf: + class: Drupal\Core\Access\CsrfRequestHeaderAccessCheck + arguments: ['@session_configuration'] + tags: + - { name: access_check } maintenance_mode: class: Drupal\Core\Site\MaintenanceMode arguments: ['@state', '@current_user'] diff --git a/core/modules/rest/src/Access/CSRFAccessCheck.php b/core/lib/Drupal/Core/Access/CsrfRequestHeaderAccessCheck.php similarity index 83% rename from core/modules/rest/src/Access/CSRFAccessCheck.php rename to core/lib/Drupal/Core/Access/CsrfRequestHeaderAccessCheck.php index c6dc04f..065efc2 100644 --- a/core/modules/rest/src/Access/CSRFAccessCheck.php +++ b/core/lib/Drupal/Core/Access/CsrfRequestHeaderAccessCheck.php @@ -1,9 +1,7 @@ getRequirements(); + // Check for current requirement _csrf_request_header_token and deprecated + // REST requirement. + $applicable_requirements = ['_csrf_request_header_token', '_access_rest_csrf']; + $requirement_keys = array_keys($requirements); - if (array_key_exists('_access_rest_csrf', $requirements)) { + if (array_intersect($applicable_requirements, $requirement_keys)) { if (isset($requirements['_method'])) { // There could be more than one method requirement separated with '|'. $methods = explode('|', $requirements['_method']); @@ -77,7 +79,7 @@ public function access(Request $request, AccountInterface $account) { && $this->sessionConfiguration->hasSession($request) ) { $csrf_token = $request->headers->get('X-CSRF-Token'); - if (!\Drupal::csrfToken()->validate($csrf_token, 'rest')) { + if (!\Drupal::csrfToken()->validate($csrf_token, 'header')) { return AccessResult::forbidden()->setCacheMaxAge(0); } } diff --git a/core/modules/rest/rest.services.yml b/core/modules/rest/rest.services.yml index c702719..a3c8d58 100644 --- a/core/modules/rest/rest.services.yml +++ b/core/modules/rest/rest.services.yml @@ -8,11 +8,6 @@ services: - { name: cache.bin } factory: cache_factory:get arguments: [rest] - access_check.rest.csrf: - class: Drupal\rest\Access\CSRFAccessCheck - arguments: ['@session_configuration'] - tags: - - { name: access_check } rest.link_manager: class: Drupal\rest\LinkManager\LinkManager arguments: ['@rest.link_manager.type', '@rest.link_manager.relation'] diff --git a/core/modules/rest/src/RequestHandler.php b/core/modules/rest/src/RequestHandler.php index 2c3310a..ebac511 100644 --- a/core/modules/rest/src/RequestHandler.php +++ b/core/modules/rest/src/RequestHandler.php @@ -137,7 +137,7 @@ public function handle(RouteMatchInterface $route_match, Request $request) { * The response object. */ public function csrfToken() { - return new Response(\Drupal::csrfToken()->get('rest'), 200, array('Content-Type' => 'text/plain')); + return new Response(\Drupal::csrfToken()->get('header'), 200, array('Content-Type' => 'text/plain')); } /** diff --git a/core/modules/rest/src/Routing/ResourceRoutes.php b/core/modules/rest/src/Routing/ResourceRoutes.php index 5d3ae30..8aedfba 100644 --- a/core/modules/rest/src/Routing/ResourceRoutes.php +++ b/core/modules/rest/src/Routing/ResourceRoutes.php @@ -91,7 +91,7 @@ protected function getRoutesForResourceConfig(RestResourceConfigInterface $rest_ $methods = $route->getMethods(); // Only expose routes where the method is enabled in the configuration. if ($methods && ($method = $methods[0]) && $supported_formats = $rest_resource_config->getFormats($method)) { - $route->setRequirement('_access_rest_csrf', 'TRUE'); + $route->setRequirement('_csrf_request_header_token', 'TRUE'); // Check that authentication providers are defined. if (empty($rest_resource_config->getAuthenticationProviders($method))) {