Kumora/assets/controllers/csrf_protection_controller.js

var nameCheck = /^[-_a-zA-Z0-9]{4,22}$/;
var tokenCheck = /^[-_/+a-zA-Z0-9]{24,}$/;

// Generate and double-submit a CSRF token in a form field and a cookie, as defined by Symfony's SameOriginCsrfTokenManager
document.addEventListener('submit', function (event) {
    var csrfField = event.target.querySelector('input[data-controller="csrf-protection"]');

    if (!csrfField) {
        return;
    }

    var csrfCookie = csrfField.getAttribute('data-csrf-protection-cookie-value');
    var csrfToken = csrfField.value;

    if (!csrfCookie && nameCheck.test(csrfToken)) {
        csrfField.setAttribute('data-csrf-protection-cookie-value', csrfCookie = csrfToken);
        csrfField.value = csrfToken = btoa(String.fromCharCode.apply(null, (window.crypto || window.msCrypto).getRandomValues(new Uint8Array(18))));
    }

    if (csrfCookie && tokenCheck.test(csrfToken)) {
        var cookie = csrfCookie + '_' + csrfToken + '=' + csrfCookie + '; path=/; samesite=strict';
        document.cookie = window.location.protocol === 'https:' ? '__Host-' + cookie + '; secure' : cookie;
    }
});

// When @hotwired/turbo handles form submissions, send the CSRF token in a header in addition to a cookie
// The `framework.csrf_protection.check_header` config option needs to be enabled for the header to be checked
document.addEventListener('turbo:submit-start', function (event) {
    var csrfField = event.detail.formSubmission.formElement.querySelector('input[data-controller="csrf-protection"]');

    if (!csrfField) {
        return;
    }

    var csrfCookie = csrfField.getAttribute('data-csrf-protection-cookie-value');

    if (tokenCheck.test(csrfField.value) && nameCheck.test(csrfCookie)) {
        event.detail.formSubmission.fetchRequest.headers[csrfCookie] = csrfField.value;
    }
});

// When @hotwired/turbo handles form submissions, remove the CSRF cookie once a form has been submitted
document.addEventListener('turbo:submit-end', function (event) {
    var csrfField = event.detail.formSubmission.formElement.querySelector('input[data-controller="csrf-protection"]');

    if (!csrfField) {
        return;
    }

    var csrfCookie = csrfField.getAttribute('data-csrf-protection-cookie-value');

    if (tokenCheck.test(csrfField.value) && nameCheck.test(csrfCookie)) {
        var cookie = csrfCookie + '_' + csrfField.value + '=0; path=/; samesite=strict; max-age=0';

        document.cookie = window.location.protocol === 'https:' ? '__Host-' + cookie + '; secure' : cookie;
    }
});

/* stimulusFetch: 'lazy' */
export default 'csrf-protection-controller';
:sparkles: Init Symfony 2024-12-28 00:39:57 +01:00			`var nameCheck = /^[-_a-zA-Z0-9]{4,22}$/;`
			`var tokenCheck = /^[-_/+a-zA-Z0-9]{24,}$/;`

			`// Generate and double-submit a CSRF token in a form field and a cookie, as defined by Symfony's SameOriginCsrfTokenManager`
			`document.addEventListener('submit', function (event) {`
			`var csrfField = event.target.querySelector('input[data-controller="csrf-protection"]');`

			`if (!csrfField) {`
			`return;`
			`}`

			`var csrfCookie = csrfField.getAttribute('data-csrf-protection-cookie-value');`
			`var csrfToken = csrfField.value;`

			`if (!csrfCookie && nameCheck.test(csrfToken)) {`
			`csrfField.setAttribute('data-csrf-protection-cookie-value', csrfCookie = csrfToken);`
			`csrfField.value = csrfToken = btoa(String.fromCharCode.apply(null, (window.crypto \|\| window.msCrypto).getRandomValues(new Uint8Array(18))));`
			`}`

			`if (csrfCookie && tokenCheck.test(csrfToken)) {`
			`var cookie = csrfCookie + '_' + csrfToken + '=' + csrfCookie + '; path=/; samesite=strict';`
			`document.cookie = window.location.protocol === 'https:' ? '__Host-' + cookie + '; secure' : cookie;`
			`}`
			`});`

			`// When @hotwired/turbo handles form submissions, send the CSRF token in a header in addition to a cookie`
			// The `framework.csrf_protection.check_header` config option needs to be enabled for the header to be checked
			`document.addEventListener('turbo:submit-start', function (event) {`
			`var csrfField = event.detail.formSubmission.formElement.querySelector('input[data-controller="csrf-protection"]');`

			`if (!csrfField) {`
			`return;`
			`}`

			`var csrfCookie = csrfField.getAttribute('data-csrf-protection-cookie-value');`

			`if (tokenCheck.test(csrfField.value) && nameCheck.test(csrfCookie)) {`
			`event.detail.formSubmission.fetchRequest.headers[csrfCookie] = csrfField.value;`
			`}`
			`});`

			`// When @hotwired/turbo handles form submissions, remove the CSRF cookie once a form has been submitted`
			`document.addEventListener('turbo:submit-end', function (event) {`
			`var csrfField = event.detail.formSubmission.formElement.querySelector('input[data-controller="csrf-protection"]');`

			`if (!csrfField) {`
			`return;`
			`}`

			`var csrfCookie = csrfField.getAttribute('data-csrf-protection-cookie-value');`

			`if (tokenCheck.test(csrfField.value) && nameCheck.test(csrfCookie)) {`
			`var cookie = csrfCookie + '_' + csrfField.value + '=0; path=/; samesite=strict; max-age=0';`

			`document.cookie = window.location.protocol === 'https:' ? '__Host-' + cookie + '; secure' : cookie;`
			`}`
			`});`

			`/* stimulusFetch: 'lazy' */`
			`export default 'csrf-protection-controller';`