These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more
1 | <?php |
||
2 | |||
3 | namespace BeyondCode\LaravelWebSockets\HttpApi\Controllers; |
||
4 | |||
5 | use Exception; |
||
6 | use Pusher\Pusher; |
||
7 | use Illuminate\Support\Arr; |
||
8 | use Illuminate\Http\Request; |
||
9 | use GuzzleHttp\Psr7\Response; |
||
10 | use Ratchet\ConnectionInterface; |
||
11 | use Illuminate\Http\JsonResponse; |
||
12 | use GuzzleHttp\Psr7\ServerRequest; |
||
13 | use Illuminate\Support\Collection; |
||
14 | use Ratchet\Http\HttpServerInterface; |
||
15 | use Psr\Http\Message\RequestInterface; |
||
16 | use BeyondCode\LaravelWebSockets\Apps\App; |
||
17 | use BeyondCode\LaravelWebSockets\QueryParameters; |
||
18 | use Symfony\Component\HttpKernel\Exception\HttpException; |
||
19 | use Symfony\Bridge\PsrHttpMessage\Factory\HttpFoundationFactory; |
||
20 | use BeyondCode\LaravelWebSockets\WebSockets\Channels\ChannelManager; |
||
21 | |||
22 | abstract class Controller implements HttpServerInterface |
||
23 | { |
||
24 | /** @var string */ |
||
25 | protected $requestBuffer = ''; |
||
26 | |||
27 | /** @var RequestInterface */ |
||
28 | protected $request; |
||
29 | |||
30 | /** @var int */ |
||
31 | protected $contentLength; |
||
32 | |||
33 | /** @var \BeyondCode\LaravelWebSockets\WebSockets\Channels\ChannelManager */ |
||
34 | protected $channelManager; |
||
35 | |||
36 | public function __construct(ChannelManager $channelManager) |
||
37 | { |
||
38 | $this->channelManager = $channelManager; |
||
39 | } |
||
40 | |||
41 | public function onOpen(ConnectionInterface $connection, RequestInterface $request = null) |
||
42 | { |
||
43 | $this->request = $request; |
||
44 | |||
45 | $this->contentLength = $this->findContentLength($request->getHeaders()); |
||
0 ignored issues
–
show
|
|||
46 | |||
47 | $this->requestBuffer = (string) $request->getBody(); |
||
48 | |||
49 | $this->checkContentLength($connection); |
||
50 | } |
||
51 | |||
52 | protected function findContentLength(array $headers): int |
||
53 | { |
||
54 | return Collection::make($headers)->first(function ($values, $header) { |
||
55 | return strtolower($header) === 'content-length'; |
||
56 | }); |
||
57 | } |
||
58 | |||
59 | public function onMessage(ConnectionInterface $from, $msg) |
||
60 | { |
||
61 | $this->requestBuffer .= $msg; |
||
62 | |||
63 | $this->checkContentLength(); |
||
0 ignored issues
–
show
|
|||
64 | } |
||
65 | |||
66 | protected function checkContentLength(ConnectionInterface $connection) |
||
67 | { |
||
68 | if (strlen($this->requestBuffer) === $this->contentLength) { |
||
69 | $serverRequest = (new ServerRequest( |
||
70 | $this->request->getMethod(), |
||
71 | $this->request->getUri(), |
||
72 | $this->request->getHeaders(), |
||
73 | $this->requestBuffer, |
||
74 | $this->request->getProtocolVersion() |
||
75 | ))->withQueryParams(QueryParameters::create($this->request)->all()); |
||
76 | |||
77 | $laravelRequest = Request::createFromBase((new HttpFoundationFactory)->createRequest($serverRequest)); |
||
78 | |||
79 | $this |
||
80 | ->ensureValidAppId($laravelRequest->appId) |
||
81 | ->ensureValidSignature($laravelRequest); |
||
82 | |||
83 | $response = $this($laravelRequest); |
||
84 | |||
85 | $connection->send(JsonResponse::create($response)); |
||
86 | $connection->close(); |
||
87 | } |
||
88 | } |
||
89 | |||
90 | public function onClose(ConnectionInterface $connection) |
||
91 | { |
||
92 | } |
||
93 | |||
94 | public function onError(ConnectionInterface $connection, Exception $exception) |
||
95 | { |
||
96 | if (! $exception instanceof HttpException) { |
||
97 | return; |
||
98 | } |
||
99 | |||
100 | $response = new Response($exception->getStatusCode(), [ |
||
101 | 'Content-Type' => 'application/json', |
||
102 | ], json_encode([ |
||
103 | 'error' => $exception->getMessage(), |
||
104 | ])); |
||
105 | |||
106 | $connection->send(\GuzzleHttp\Psr7\str($response)); |
||
107 | |||
108 | $connection->close(); |
||
109 | } |
||
110 | |||
111 | public function ensureValidAppId(string $appId) |
||
112 | { |
||
113 | if (! App::findById($appId)) { |
||
114 | throw new HttpException(401, "Unknown app id `{$appId}` provided."); |
||
115 | } |
||
116 | |||
117 | return $this; |
||
118 | } |
||
119 | |||
120 | protected function ensureValidSignature(Request $request) |
||
121 | { |
||
122 | /* |
||
123 | * The `auth_signature` & `body_md5` parameters are not included when calculating the `auth_signature` value. |
||
124 | * |
||
125 | * The `appId`, `appKey` & `channelName` parameters are actually route paramaters and are never supplied by the client. |
||
126 | */ |
||
127 | $params = Arr::except($request->query(), ['auth_signature', 'body_md5', 'appId', 'appKey', 'channelName']); |
||
0 ignored issues
–
show
It seems like
$request->query() targeting Illuminate\Http\Concerns...ractsWithInput::query() can also be of type null or string ; however, Illuminate\Support\Arr::except() does only seem to accept array , maybe add an additional type check?
This check looks at variables that are passed out again to other methods. If the outgoing method call has stricter type requirements than the method itself, an issue is raised. An additional type check may prevent trouble.
Loading history...
|
|||
128 | |||
129 | if ($request->getContent() !== '') { |
||
130 | $params['body_md5'] = md5($request->getContent()); |
||
131 | } |
||
132 | |||
133 | ksort($params); |
||
134 | |||
135 | $signature = "{$request->getMethod()}\n/{$request->path()}\n".Pusher::array_implode('=', '&', $params); |
||
136 | |||
137 | $authSignature = hash_hmac('sha256', $signature, App::findById($request->get('appId'))->secret); |
||
138 | |||
139 | if ($authSignature !== $request->get('auth_signature')) { |
||
140 | throw new HttpException(401, 'Invalid auth signature provided.'); |
||
141 | } |
||
142 | |||
143 | return $this; |
||
144 | } |
||
145 | |||
146 | abstract public function __invoke(Request $request); |
||
147 | } |
||
148 |
If a variable is not always an object, we recommend to add an additional type check to ensure your method call is safe: