|
1
|
|
|
<?php |
|
2
|
|
|
declare(strict_types=1); |
|
3
|
|
|
/** |
|
4
|
|
|
* Minotaur |
|
5
|
|
|
* |
|
6
|
|
|
* Licensed under the Apache License, Version 2.0 (the "License"); you may not |
|
7
|
|
|
* use this file except in compliance with the License. You may obtain a copy of |
|
8
|
|
|
* the License at |
|
9
|
|
|
* |
|
10
|
|
|
* http://www.apache.org/licenses/LICENSE-2.0 |
|
11
|
|
|
* |
|
12
|
|
|
* Unless required by applicable law or agreed to in writing, software |
|
13
|
|
|
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT |
|
14
|
|
|
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the |
|
15
|
|
|
* License for the specific language governing permissions and limitations under |
|
16
|
|
|
* the License. |
|
17
|
|
|
* |
|
18
|
|
|
* @copyright 2015-2017 Appertly |
|
19
|
|
|
* @license Apache-2.0 |
|
20
|
|
|
*/ |
|
21
|
|
|
namespace Minotaur\Http; |
|
22
|
|
|
|
|
23
|
|
|
use Psr\Http\Message\ServerRequestInterface as Request; |
|
24
|
|
|
use Psr\Http\Message\ResponseInterface as Response; |
|
25
|
|
|
|
|
26
|
|
|
/** |
|
27
|
|
|
* CSRF token verification plugin for the middleware dispatcher. |
|
28
|
|
|
* |
|
29
|
|
|
*/ |
|
30
|
|
|
class SeaSurfer implements \Minotaur\Route\Plugin |
|
31
|
|
|
{ |
|
32
|
|
|
/** |
|
33
|
|
|
* The HTTP default methods |
|
34
|
|
|
*/ |
|
35
|
|
|
protected const DEFAULT_METHODS = ['POST', 'PUT', 'DELETE']; |
|
36
|
|
|
|
|
37
|
|
|
/** |
|
38
|
|
|
* @var \Caridea\Session\CsrfPlugin |
|
39
|
|
|
*/ |
|
40
|
|
|
protected $plugin; |
|
41
|
|
|
|
|
42
|
|
|
/** |
|
43
|
|
|
* @var \Minotaur\ErrorLogger |
|
44
|
|
|
*/ |
|
45
|
|
|
protected $errorLogger; |
|
46
|
|
|
|
|
47
|
|
|
/** |
|
48
|
|
|
* @var string |
|
49
|
|
|
*/ |
|
50
|
|
|
protected $field; |
|
51
|
|
|
|
|
52
|
|
|
/** |
|
53
|
|
|
* @var string |
|
54
|
|
|
*/ |
|
55
|
|
|
protected $hostname; |
|
56
|
|
|
|
|
57
|
|
|
/** |
|
58
|
|
|
* @var bool |
|
59
|
|
|
*/ |
|
60
|
|
|
protected $blockMissingSource; |
|
61
|
|
|
|
|
62
|
|
|
/** |
|
63
|
|
|
* @var array<string> The HTTP methods where this verification will happen |
|
64
|
|
|
*/ |
|
65
|
|
|
protected $methods; |
|
66
|
|
|
|
|
67
|
|
|
/** |
|
68
|
|
|
* Creates a new SeaSurfer. |
|
69
|
|
|
* |
|
70
|
|
|
* @param $plugin - The CSRF session plugin |
|
71
|
|
|
* @param $errorLogger - The error logger |
|
72
|
|
|
* @param $field - The body field in which to find the CSRF token |
|
73
|
|
|
* @param $hostname - The expected hostname to match |
|
74
|
|
|
* @param $blockMissingSource - If we should stop requests with no Origin/Referer |
|
75
|
|
|
* @param array<string> $methods - The HTTP methods under which this check is run |
|
76
|
|
|
*/ |
|
77
|
12 |
|
public function __construct( |
|
78
|
|
|
\Caridea\Session\CsrfPlugin $plugin, |
|
79
|
|
|
\Minotaur\ErrorLogger $errorLogger, |
|
80
|
|
|
string $field = 'csrfToken', |
|
81
|
|
|
string $hostname = '', |
|
82
|
|
|
bool $blockMissingSource = true, |
|
83
|
|
|
array $methods = [] |
|
84
|
|
|
) { |
|
85
|
12 |
|
$this->plugin = $plugin; |
|
86
|
12 |
|
$this->errorLogger = $errorLogger; |
|
87
|
12 |
|
$this->field = $field; |
|
88
|
12 |
|
$this->hostname = $hostname; |
|
89
|
12 |
|
$this->blockMissingSource = $blockMissingSource; |
|
90
|
12 |
|
$this->methods = $methods ?: self::DEFAULT_METHODS; |
|
91
|
12 |
|
} |
|
92
|
|
|
|
|
93
|
|
|
/** |
|
94
|
|
|
* Gets the plugin priority; larger means first. |
|
95
|
|
|
* |
|
96
|
|
|
* @return - The plugin priority |
|
|
|
|
|
|
97
|
|
|
*/ |
|
98
|
|
|
public function getPriority(): int |
|
99
|
|
|
{ |
|
100
|
|
|
return 1999999; |
|
101
|
|
|
} |
|
102
|
|
|
|
|
103
|
|
|
/** |
|
104
|
|
|
* Allows a plugin to issue a response before the request is dispatched. |
|
105
|
|
|
* |
|
106
|
|
|
* @param $request - The server request |
|
107
|
|
|
* @param $response - The response |
|
108
|
|
|
* @return - The response |
|
|
|
|
|
|
109
|
|
|
*/ |
|
110
|
12 |
|
public function __invoke(Request $request, Response $response, callable $next): Response |
|
111
|
|
|
{ |
|
112
|
12 |
|
if (in_array($request->getMethod(), $this->methods, true)) { |
|
113
|
|
|
try { |
|
114
|
11 |
|
$principal = $request->getAttribute('principal'); |
|
115
|
11 |
|
if (!($principal instanceof \Caridea\Auth\Principal)) { |
|
116
|
|
|
throw new \UnexpectedValueException("Request attribute 'principal' must be a Principal"); |
|
117
|
|
|
} |
|
118
|
11 |
|
if (!$principal->isAnonymous()) { |
|
119
|
10 |
|
$this->verifyOrigin($request); |
|
120
|
7 |
|
$this->verifyToken($request); |
|
121
|
|
|
} |
|
122
|
6 |
|
} catch (\OutOfBoundsException $e) { |
|
123
|
1 |
|
$this->errorLogger->log($e); |
|
124
|
1 |
|
$response->getBody()->write($e->getMessage()); |
|
125
|
1 |
|
return $response->withStatus(449, "Retry With"); |
|
126
|
5 |
|
} catch (\UnexpectedValueException $e) { |
|
127
|
5 |
|
$this->errorLogger->log($e); |
|
128
|
5 |
|
$response->getBody()->write($e->getMessage()); |
|
129
|
5 |
|
return $response->withStatus(440, "Login Timeout"); |
|
130
|
|
|
} |
|
131
|
|
|
} |
|
132
|
6 |
|
return $next($request, $response); |
|
133
|
|
|
} |
|
134
|
|
|
|
|
135
|
|
|
/** |
|
136
|
|
|
* Performs the verification. |
|
137
|
|
|
*/ |
|
138
|
10 |
|
protected function verifyOrigin(Request $request): void |
|
139
|
|
|
{ |
|
140
|
10 |
|
$source = strstr($request->getHeaderLine('Origin'), ' ', true) ?: |
|
141
|
10 |
|
$request->getHeaderLine('Referer'); |
|
142
|
10 |
|
if (!$source && $this->blockMissingSource) { |
|
143
|
1 |
|
throw new \OutOfBoundsException("CSRF: Origin and Referer headers missing"); |
|
144
|
|
|
} |
|
145
|
9 |
|
$hostname = $this->hostname; |
|
146
|
9 |
|
if (!$hostname) { |
|
147
|
3 |
|
$hostname = $request->getHeaderLine('Host'); |
|
148
|
3 |
|
$forwardedHost = $request->getHeaderLine('X-Forwarded-Host'); |
|
149
|
3 |
|
if ($forwardedHost) { |
|
150
|
2 |
|
$hostname = $forwardedHost; |
|
151
|
|
|
} |
|
152
|
|
|
} |
|
153
|
9 |
|
$sourceUrl = parse_url($source); |
|
154
|
9 |
|
$sourceHost = $source ? $sourceUrl['host'] : ''; |
|
155
|
9 |
|
if ($source && strpos($hostname, ':') !== false) { |
|
156
|
|
|
$sourceHost .= ':' . $sourceUrl['port']; |
|
157
|
|
|
} |
|
158
|
9 |
|
if ($source && strcasecmp($sourceHost, $hostname) !== 0) { |
|
159
|
3 |
|
throw new \UnexpectedValueException("CSRF: Unauthenticated session"); |
|
160
|
|
|
} |
|
161
|
6 |
|
} |
|
162
|
|
|
|
|
163
|
|
|
/** |
|
164
|
|
|
* Performs the verification. |
|
165
|
|
|
*/ |
|
166
|
6 |
|
protected function verifyToken(Request $request): void |
|
167
|
|
|
{ |
|
168
|
6 |
|
if ($request->getHeaderLine('X-Requested-With') == 'XMLHttpRequest') { |
|
169
|
1 |
|
return; |
|
170
|
|
|
} |
|
171
|
5 |
|
$body = $request->getParsedBody(); |
|
172
|
5 |
|
$token = is_array($body) ? ($body[$this->field] ?? null) : null; |
|
173
|
5 |
|
if (!$this->plugin->isValid($token ?? '')) { |
|
174
|
1 |
|
throw new \UnexpectedValueException("CSRF: Unauthenticated session"); |
|
175
|
|
|
} |
|
176
|
3 |
|
} |
|
177
|
|
|
} |
|
178
|
|
|
|
appertly /
minotaur
Jonathan Hawk
Loading history...
This check marks PHPDoc comments that could not be parsed by our parser. To see which comment annotations we can parse, please refer to our documentation on supported doc-types.