private boolean isValidRequest(HttpRequest request) { Optional<String> readToken = defaultRequestToken(request); Optional<String> storedToken = sessionToken(request); return readToken.isPresent() && storedToken.isPresent() && readToken.get().equals(storedToken.get()); }
@Override public HttpResponse handle(HttpRequest request, MiddlewareChain<HttpRequest, NRES, ?, ?> next) { String token = sessionToken(request).orElseGet(this::newToken); if (!isGetRequest(request) && !isValidRequest(request)) { return builder(HttpResponse.of("<h1>Invalid anti-forgery token</h1>")) .set(HttpResponse::setStatus, 403) .set(HttpResponse::setHeaders, Headers.of("Content-Type", "text/html")) .build(); } else { request = MixinUtils.mixin(request, ForgeryDetectable.class); ForgeryDetectable.class.cast(request).setAntiForgeryToken(token); HttpResponse response = castToHttpResponse(next.next(request)); putSessionToken(response, request, token); return response; } } }
/** * Puts the token to the session. * * @param response a HttpResponse object * @param request a HttpRequest object * @param token a String contains the new token */ protected void putSessionToken(HttpResponse response, HttpRequest request, String token) { String oldToken = sessionToken(request).orElse(null); if (!Objects.equals(token, oldToken)) { Session session = Optional.ofNullable(request.getSession()) .orElse(new Session()); session.put(TOKEN_KEY, token); response.setSession(session); } }