From 55beca95cd8d6ecfe610daea304c8374a10485af Mon Sep 17 00:00:00 2001
From: Igor Scheller <igor.scheller@igorshp.de>
Date: Tue, 27 Nov 2018 13:34:55 +0100
Subject: Refactoring: Throw HttpAuthExpired on csrf token mismatch

---
 src/Http/Exceptions/HttpAuthExpired.php | 24 ++++++++++++++++++++++++
 src/Middleware/VerifyCsrfToken.php      | 13 ++-----------
 2 files changed, 26 insertions(+), 11 deletions(-)
 create mode 100644 src/Http/Exceptions/HttpAuthExpired.php

(limited to 'src')

diff --git a/src/Http/Exceptions/HttpAuthExpired.php b/src/Http/Exceptions/HttpAuthExpired.php
new file mode 100644
index 00000000..83ca240f
--- /dev/null
+++ b/src/Http/Exceptions/HttpAuthExpired.php
@@ -0,0 +1,24 @@
+<?php
+
+namespace Engelsystem\Http\Exceptions;
+
+use Throwable;
+
+class HttpAuthExpired extends HttpException
+{
+    /**
+     * @param string         $message
+     * @param array          $headers
+     * @param int            $code
+     * @param Throwable|null $previous
+     */
+    public function __construct(
+        string $message = 'Authentication Expired',
+        array $headers = [],
+        int $code = 0,
+        Throwable $previous = null
+    ) {
+        // The 419 code is used as "Page Expired" to differentiate from a 401 (not authorized)
+        parent::__construct(419, $message, $headers, $code, $previous);
+    }
+}
diff --git a/src/Middleware/VerifyCsrfToken.php b/src/Middleware/VerifyCsrfToken.php
index cc0c1fbc..0623fa72 100644
--- a/src/Middleware/VerifyCsrfToken.php
+++ b/src/Middleware/VerifyCsrfToken.php
@@ -2,6 +2,7 @@
 
 namespace Engelsystem\Middleware;
 
+use Engelsystem\Http\Exceptions\HttpAuthExpired;
 use Psr\Http\Message\ResponseInterface;
 use Psr\Http\Message\ServerRequestInterface;
 use Psr\Http\Server\MiddlewareInterface;
@@ -37,7 +38,7 @@ class VerifyCsrfToken implements MiddlewareInterface
             return $handler->handle($request);
         }
 
-        return $this->notAuthorizedResponse();
+        throw new HttpAuthExpired('Authentication Token Mismatch');
     }
 
     /**
@@ -77,14 +78,4 @@ class VerifyCsrfToken implements MiddlewareInterface
             && is_string($sessionToken)
             && hash_equals($sessionToken, $token);
     }
-
-    /**
-     * @return ResponseInterface
-     * @codeCoverageIgnore
-     */
-    protected function notAuthorizedResponse(): ResponseInterface
-    {
-        // The 419 code is used as "Page Expired" to differentiate from a 401 (not authorized)
-        return response()->withStatus(419, 'Authentication Token Mismatch');
-    }
 }
-- 
cgit v1.2.3-70-g09d2