src/EventListener/RequestSignListener.php line 27

Open in your IDE?
  1. <?php
  3. namespace App\EventListener;
  5. use Symfony\Component\EventDispatcher\EventSubscriberInterface;
  6. use Symfony\Component\HttpFoundation\JsonResponse;
  7. use Symfony\Component\HttpFoundation\Request;
  8. use Symfony\Component\HttpKernel\Event\RequestEvent;
  9. use Symfony\Component\HttpKernel\KernelEvents;
  11. class RequestSignListener implements EventSubscriberInterface
  12. {
  13.     /**
  14.      * @var string
  15.      */
  16.     private string $clientSecret;
  18.     public function __construct(string $clientSecret)
  19.     {
  20.         $this->clientSecret $clientSecret;
  21.     }
  23.     /**
  24.      * Проверка подписи запроса
  25.      * @phpstan-ignore-next-line
  26.      */
  27.     public function onRequest(RequestEvent $event)
  28.     {
  29.         if (!$event->isMainRequest()) {
  30.             return;
  31.         }
  33.         $request $event->getRequest();
  35.         if ('/api/' === substr($request->getPathInfo(), 05)) {
  36.             if (!$this->isRequestFromVKSignedCorrectly($request)) {
  37.                 $event->setResponse($this->createAccessDeniedResponse('Access denied.'));
  38.             }
  39.         }
  40.     }
  42.     public static function getSubscribedEvents(): array
  43.     {
  44.         return [
  45.             KernelEvents::REQUEST => 'onRequest',
  46.         ];
  47.     }
  49.     private function isRequestFromVKSignedCorrectly(Request $request): bool
  50.     {
  51.         $queryParams = [];
  52.         parse_str(parse_url($request->getRequestUri(), PHP_URL_QUERY), $queryParams);
  54.         $signParams = [];
  55.         foreach ($queryParams as $name => $value) {
  56.             if (strpos($name'vk_') !== 0) {
  57.                 continue;
  58.             }
  60.             $signParams[$name] = $value;
  61.         }
  63.         if (empty($signParams) || !isset($queryParams['sign'])) {
  64.             return false;
  65.         }
  67.         ksort($signParams);
  68.         $signParamsQuery http_build_query($signParams);
  69.         $sign rtrim(strtr(base64_encode(hash_hmac(
  70.             'sha256',
  71.             $signParamsQuery,
  72.             $this->clientSecret,
  73.             true
  74.         )), '+/''-_'), '=');
  76.         return $sign === $queryParams['sign'];
  77.     }
  79.     private function createAccessDeniedResponse(string $message): JsonResponse
  80.     {
  81.         $response = new JsonResponse([
  82.             'errorMsg' => $message,
  83.             'success' => false,
  84.         ]);
  85.         $response->setStatusCode(403);
  86.         $response->headers->set('Content-type''application/json; charset=UTF-8');
  88.         return $response;
  89.     }
  90. }