HOR-3921

Fix CR observations.

workflow/engine/skinEngine/skinEngine.php

@@ -261,7 +261,7 @@ class SkinEngine
 
         $template = new TemplatePower($templateFile);
         $template->prepare();
-        $header = '<meta name="csrf-token" content="'. csrfToken().'" />' . "\n" . $header;
+        $header = '<meta name="csrf-token" content="' . csrfToken() . '" />' . "\n" . $header;
         $template->assign('header', $header);
         $template->assign('styles', $styles);
         $template->assign('bodyTemplate', $body);

workflow/engine/src/ProcessMaker/Util/helpers.php

@@ -376,6 +376,12 @@ function initUserSession($usrUid, $usrName)
     $_SESSION['USR_CSRF_TOKEN'] = Str::random(40);
 }
 
+/**
+ * Verify token for an incoming request.
+ *
+ * @param type $request
+ * @throws TokenMismatchException
+ */
 function verifyCsrfToken($request)
 {
     $headers = getallheaders();
@@ -386,11 +392,18 @@ function verifyCsrfToken($request)
         : null);
     $match = is_string($_SESSION['USR_CSRF_TOKEN'])
         && is_string($token)
+        && !empty($_SESSION['USR_CSRF_TOKEN'])
         && hash_equals($_SESSION['USR_CSRF_TOKEN'], $token);
     if (!$match) {
         throw new TokenMismatchException();
     }
 }
+
+/**
+ * Get the current user CSRF token.
+ *
+ * @return string
+ */
 function csrfToken()
 {
     return isset($_SESSION['USR_CSRF_TOKEN']) ? $_SESSION['USR_CSRF_TOKEN'] : '';