ServiceAdapter::decodeToken() - Code Metrics - Inspection of "Fix verify" - Gixx/WebHemi - Measure and Improve Code Quality continuously with Scrutinizer

Passed

Push — master ( 5b56d7...ffd336 )

by Gabor

created 2018-11-06 09:49 UTC

ServiceAdapter::decodeToken() A

↳ Parent: ServiceAdapter

Complexity

Conditions	2
Paths	1

Size

Total Lines	8
Code Lines	5

Duplication

Lines	0
Ratio	0 %

Code Coverage

Tests	0
CRAP Score	6

Importance

Changes

Metric	Value
cc	2
eloc	5
nc	1
nop	1
dl	0
loc	8
ccs	0
cts	7
cp	0
crap	6
rs	10
c	0
b	0
f	0

<?php
/**
 * WebHemi.
 *
 * PHP version 7.1
 *
 * @copyright 2012 - 2018 Gixx-web (http://www.gixx-web.com)
 * @license   https://opensource.org/licenses/MIT The MIT License (MIT)
 *
 * @link http://www.gixx-web.com
 */
declare(strict_types = 1);

namespace WebHemi\CSRF\ServiceAdapter\Base;

use WebHemi\CSRF\ServiceInterface;
use WebHemi\Session\ServiceInterface as SessionInterface;

/**
 * Class ServiceAdapter.
 */
class ServiceAdapter implements ServiceInterface
{
    protected $sessionManager;

    /**
     * ServiceInterface constructor.
     *
     * @param SessionInterface $sessionManager
     */
    public function __construct(SessionInterface $sessionManager)
    {
        $this->sessionManager = $sessionManager;
    }

    /**
     * Generate a CSRF token.
     *
     * @param string $key
     * @return string
     */
    public function generate(string $key) : string
    {
        $key = preg_replace('/[^a-zA-Z0-9]/', '', $key);
        $extra = $this->getClientHash();

        try {
            $randomString = bin2hex(random_bytes(16));
            $randomString = str_pad(substr($randomString, 0, 32), 32, 'a', STR_PAD_LEFT);
        } catch (\Throwable $error) {
            $randomString = $this->getRandomString(32);
        }

        $token = base64_encode(time() . $extra . $randomString);

        $this->sessionManager->set(self::SESSION_PREFIX.'_'.$key, $token);

        return $token;
    }

    /**
     * Check the CSRF token is valid.
     *
     * @param string $key
     * @param string $token
     * @param null|int $ttl
     * @param bool $multiple
     * @return bool
     */
    public function verify(string $key, string $token, ? int $ttl = null, bool $multiple = false) : bool
    {
        $key = preg_replace('/[^a-zA-Z0-9]/', '', $key);

        $sessionToken = $this->sessionManager->get(self::SESSION_PREFIX.'_'.$key) ?? '';

        if (!$multiple) {
            $this->sessionManager->delete(self::SESSION_PREFIX.'_'.$key);
        }

        $sessionToken = $this->decodeToken($sessionToken);
        $token = $this->decodeToken($token);

        return !((!empty($ttl) && $sessionToken['time'] + $ttl > time())
            || ($token['extra'] != $this->getClientHash())
            || ($sessionToken['randomString'] != $token['randomString'])
        );
    }

    /**
     * Decodes the given token.
     *
     * @param string $token
     * @return array
     */
    protected function decodeToken(string $token) : array
    {
        $token = base64_decode($token) ?: str_repeat('0', 82);

        return [
            'time' => substr($token, 0, 10),
            'extra' => substr($token, 10, 40),
            'randomString' => substr($token, 50),
        ];
    }

    /**
     * @return string
     */
    protected function getClientHash() : string
    {
        return sha1($_SERVER['REMOTE_ADDR'] . $_SERVER['HTTP_USER_AGENT']);
    }

    /**
     * Generate a random string
     *
     * @param int $length
     * @return string
     */
    protected function getRandomString(int $length) : string
    {
        $seed = 'abcdef0123456789';
        $max = strlen($seed) - 1;
        $string = '';

        for ($i = 0; $i < $length; ++$i) {
            $string .= $seed[intval(mt_rand(0.0, $max))];
        }

        return $string;
    }
}


1			<?php
2			/**
3			* WebHemi.
4			*
5			* PHP version 7.1
6			*
7			* @copyright 2012 - 2018 Gixx-web (http://www.gixx-web.com)
8			* @license https://opensource.org/licenses/MIT The MIT License (MIT)
9			*
10			* @link http://www.gixx-web.com
11			*/
12			declare(strict_types = 1);
13
14			namespace WebHemi\CSRF\ServiceAdapter\Base;
15
16			use WebHemi\CSRF\ServiceInterface;
17			use WebHemi\Session\ServiceInterface as SessionInterface;
18
19			/**
20			* Class ServiceAdapter.
21			*/
22			class ServiceAdapter implements ServiceInterface
23			{
24			protected $sessionManager;
25
26			/**
27			* ServiceInterface constructor.
28			*
29			* @param SessionInterface $sessionManager
30			*/
31			public function __construct(SessionInterface $sessionManager)
32			{
33			$this->sessionManager = $sessionManager;
34			}
35
36			/**
37			* Generate a CSRF token.
38			*
39			* @param string $key
40			* @return string
41			*/
42			public function generate(string $key) : string
43			{
44			$key = preg_replace('/[^a-zA-Z0-9]/', '', $key);
45			$extra = $this->getClientHash();
46
47			try {
48			$randomString = bin2hex(random_bytes(16));
49			$randomString = str_pad(substr($randomString, 0, 32), 32, 'a', STR_PAD_LEFT);
50			} catch (\Throwable $error) {
51			$randomString = $this->getRandomString(32);
52			}
53
54			$token = base64_encode(time() . $extra . $randomString);
55
56			$this->sessionManager->set(self::SESSION_PREFIX.'_'.$key, $token);
57
58			return $token;
59			}
60
61			/**
62			* Check the CSRF token is valid.
63			*
64			* @param string $key
65			* @param string $token
66			* @param null\|int $ttl
67			* @param bool $multiple
68			* @return bool
69			*/
70			public function verify(string $key, string $token, ? int $ttl = null, bool $multiple = false) : bool
71			{
72			$key = preg_replace('/[^a-zA-Z0-9]/', '', $key);
73
74			$sessionToken = $this->sessionManager->get(self::SESSION_PREFIX.'_'.$key) ?? '';
75
76			if (!$multiple) {
77			$this->sessionManager->delete(self::SESSION_PREFIX.'_'.$key);
78			}
79
80			$sessionToken = $this->decodeToken($sessionToken);
81			$token = $this->decodeToken($token);
82
83			return !((!empty($ttl) && $sessionToken['time'] + $ttl > time())
84			\|\| ($token['extra'] != $this->getClientHash())
85			\|\| ($sessionToken['randomString'] != $token['randomString'])
86			);
87			}
88
89			/**
90			* Decodes the given token.
91			*
92			* @param string $token
93			* @return array
94			*/
95			protected function decodeToken(string $token) : array
96			{
97			$token = base64_decode($token) ?: str_repeat('0', 82);
98
99			return [
100			'time' => substr($token, 0, 10),
101			'extra' => substr($token, 10, 40),
102			'randomString' => substr($token, 50),
103			];
104			}
105
106			/**
107			* @return string
108			*/
109			protected function getClientHash() : string
110			{
111			return sha1($_SERVER['REMOTE_ADDR'] . $_SERVER['HTTP_USER_AGENT']);
112			}
113
114			/**
115			* Generate a random string
116			*
117			* @param int $length
118			* @return string
119			*/
120			protected function getRandomString(int $length) : string
121			{
122			$seed = 'abcdef0123456789';
123			$max = strlen($seed) - 1;
124			$string = '';
125
126			for ($i = 0; $i < $length; ++$i) {
127			$string .= $seed[intval(mt_rand(0.0, $max))];
128			}
129
130			return $string;
131			}
132			}
133

Gixx / WebHemi

Push — master ( 5b56d7...ffd336 )

ServiceAdapter::decodeToken() A

Complexity

Size

Duplication

Code Coverage

Importance

Duplication Side-by-Side

Filter issues like