csrfToken = $csrf_token; } /** * Checks access based on a CSRF token for the request. * * @param \Symfony\Component\Routing\Route $route * The route to check against. * @param \Symfony\Component\HttpFoundation\Request $request * The request object. * @param \Drupal\Core\Routing\RouteMatchInterface $route_match * The route match object. * * @return \Drupal\Core\Access\AccessResultInterface * The access result. */ public function access(Route $route, Request $request, RouteMatchInterface $route_match) { $path = $this->generateRoutePath($route, $route_match->getRawParameters()->all()); if ($this->csrfToken->validate($request->query->get('token', ''), $path)) { $result = AccessResult::allowed(); } else { $result = AccessResult::forbidden($request->query->has('token') ? "'csrf_token' URL query argument is invalid." : "'csrf_token' URL query argument is missing."); } // Not cacheable because the CSRF token is highly dynamic. return $result->setCacheMaxAge(0); } }