diogo
/
indieauth
Archived
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
This repository has been archived on 2023-08-20. You can view files and clone it, but cannot push or open issues or pull requests.
indieauth/src/Middleware/DoubleSubmitCookieCsrfMiddl...

93 lines
3.1 KiB
PHP
Raw Normal View History

Initial commit Sketched out first draft of how the library should work, stubbed a lot of the smaller utility classes required, and outlined the main handler functions for the IA Server.
2021-06-06 00:18:44 +01:00
<?php declare(strict_types=1);
Restructured src to use PSR-4 autoloading, moved many functions to functions.php
2021-06-06 14:13:13 +01:00
namespace Taproot\IndieAuth\Middleware;
Initial commit Sketched out first draft of how the library should work, stubbed a lot of the smaller utility classes required, and outlined the main handler functions for the IA Server.
2021-06-06 00:18:44 +01:00
use Nyholm\Psr7\Response;
use Psr\Http\Message\ServerRequestInterface;
use Psr\Http\Message\ResponseInterface;
use Psr\Http\Server\MiddlewareInterface;
use Psr\Http\Server\RequestHandlerInterface;
use Dflydev\FigCookies;
Finished first draft of the authorization endpoint implementation Made some minor tweaks and improvements to the utility classes Required some new dependencies Server::__construct now takes a single config array as the list of parameters was getting rather long.
2021-06-06 13:47:05 +01:00
use Psr\Log\LoggerAwareInterface;
use Psr\Log\LoggerInterface;
use Psr\Log\NullLogger;
Restructured src to use PSR-4 autoloading, moved many functions to functions.php
2021-06-06 14:13:13 +01:00
use function Taproot\IndieAuth\generateRandomString;
Initial commit Sketched out first draft of how the library should work, stubbed a lot of the smaller utility classes required, and outlined the main handler functions for the IA Server.
2021-06-06 00:18:44 +01:00
Finished first draft of the authorization endpoint implementation Made some minor tweaks and improvements to the utility classes Required some new dependencies Server::__construct now takes a single config array as the list of parameters was getting rather long.
2021-06-06 13:47:05 +01:00
class DoubleSubmitCookieCsrfMiddleware implements MiddlewareInterface, LoggerAwareInterface {
Initial commit Sketched out first draft of how the library should work, stubbed a lot of the smaller utility classes required, and outlined the main handler functions for the IA Server.
2021-06-06 00:18:44 +01:00
const READ_METHODS = ['HEAD', 'GET', 'OPTIONS'];
const TTL = 60 * 20;
const ATTRIBUTE = 'csrf';
const DEFAULT_ERROR_RESPONSE_STRING = 'Invalid or missing CSRF token!';
const CSRF_TOKEN_LENGTH = 128;
public string $attribute;
public int $ttl;
public callable $errorResponse;
public int $tokenLength;
Finished first draft of the authorization endpoint implementation Made some minor tweaks and improvements to the utility classes Required some new dependencies Server::__construct now takes a single config array as the list of parameters was getting rather long.
2021-06-06 13:47:05 +01:00
public LoggerInterface $logger;
public function __construct(string $attribute=self::ATTRIBUTE, int $ttl=self::TTL, $errorResponse=self::DEFAULT_ERROR_RESPONSE_STRING, $tokenLength=self::CSRF_TOKEN_LENGTH, $logger=null) {
Initial commit Sketched out first draft of how the library should work, stubbed a lot of the smaller utility classes required, and outlined the main handler functions for the IA Server.
2021-06-06 00:18:44 +01:00
$this->attribute = $attribute;
$this->ttl = $ttl;
$this->tokenLength = $tokenLength;
if (!is_callable($errorResponse)) {
if (!$errorResponse instanceof ResponseInterface) {
if (!is_string($errorResponse)) {
$errorResponse = self::DEFAULT_ERROR_RESPONSE_STRING;
}
$errorResponse = new Response(400, ['content-type' => 'text/plain'], $errorResponse);
}
$errorResponse = function (ServerRequestInterface $request) use ($errorResponse) { return $errorResponse; };
}
$this->errorResponse = $errorResponse;
Finished first draft of the authorization endpoint implementation Made some minor tweaks and improvements to the utility classes Required some new dependencies Server::__construct now takes a single config array as the list of parameters was getting rather long.
2021-06-06 13:47:05 +01:00
if (!$logger instanceof LoggerInterface) {
$logger = new NullLogger();
}
$this->logger = $logger;
}
public function setLogger(LoggerInterface $logger) {
$this->logger = $logger;
Initial commit Sketched out first draft of how the library should work, stubbed a lot of the smaller utility classes required, and outlined the main handler functions for the IA Server.
2021-06-06 00:18:44 +01:00
}
public function process(ServerRequestInterface $request, RequestHandlerInterface $handler): ResponseInterface {
if (!in_array(strtoupper($request->getMethod()), self::READ_METHODS)) {
// This request is a write method and requires CSRF protection.
if (!$this->isValid($request)) {
return call_user_func($this->errorResponse, $request);
}
}
// Otherwise, generate a new CSRF token, add it to the request attributes, and as a cookie on the response.
$csrfToken = generateRandomString($this->tokenLength);
$request = $request->withAttribute($this->attribute, $csrfToken);
$response = $handler->handle($request);
// Add the new CSRF cookie, restricting its scope to match the current request.
$response = FigCookies\FigResponseCookies::set($response, FigCookies\SetCookie::create($this->attribute)
->withValue($csrfToken)
->withMaxAge($this->ttl)
->withSecure($request->getUri()->getScheme() == 'https')
->withDomain($request->getUri()->getHost())
->withPath($request->getUri()->getPath()));
return $response;
}
protected function isValid(ServerRequestInterface $request) {
if (in_array($this->attribute, $request->getParsedBody())) {
if (in_array($this->attribute, $request->getCookieParams())) {
return hash_equals($request->getParsedBody()[$this->attribute], $request->getCookieParams()[$this->attribute]);
}
}
return false;
}
}