These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more
1 | <?php |
||
2 | |||
3 | namespace BeyondCode\LaravelWebSockets\HttpApi\Controllers; |
||
4 | |||
5 | use Exception; |
||
6 | use Pusher\Pusher; |
||
7 | use Illuminate\Support\Arr; |
||
8 | use Illuminate\Http\Request; |
||
9 | use GuzzleHttp\Psr7\Response; |
||
10 | use Ratchet\ConnectionInterface; |
||
11 | use Illuminate\Http\JsonResponse; |
||
12 | use GuzzleHttp\Psr7\ServerRequest; |
||
13 | use Illuminate\Support\Collection; |
||
14 | use Ratchet\Http\HttpServerInterface; |
||
15 | use Psr\Http\Message\RequestInterface; |
||
16 | use BeyondCode\LaravelWebSockets\Apps\App; |
||
17 | use BeyondCode\LaravelWebSockets\QueryParameters; |
||
18 | use Symfony\Component\HttpKernel\Exception\HttpException; |
||
19 | use Symfony\Bridge\PsrHttpMessage\Factory\HttpFoundationFactory; |
||
20 | use BeyondCode\LaravelWebSockets\WebSockets\Channels\ChannelManager; |
||
21 | |||
22 | abstract class Controller implements HttpServerInterface |
||
23 | { |
||
24 | /** @var string */ |
||
25 | protected $requestBuffer = ''; |
||
26 | |||
27 | /** @var RequestInterface */ |
||
28 | protected $request; |
||
29 | |||
30 | /** @var int */ |
||
31 | protected $contentLength; |
||
32 | |||
33 | /** @var \BeyondCode\LaravelWebSockets\WebSockets\Channels\ChannelManager */ |
||
34 | protected $channelManager; |
||
35 | |||
36 | public function __construct(ChannelManager $channelManager) |
||
37 | { |
||
38 | $this->channelManager = $channelManager; |
||
39 | } |
||
40 | |||
41 | public function onOpen(ConnectionInterface $connection, RequestInterface $request = null) |
||
42 | { |
||
43 | $this->request = $request; |
||
44 | |||
45 | $this->contentLength = $this->findContentLength($request->getHeaders()); |
||
46 | |||
47 | $this->requestBuffer = (string) $request->getBody(); |
||
48 | |||
49 | $this->checkContentLength($connection); |
||
50 | } |
||
51 | |||
52 | protected function findContentLength(array $headers): int |
||
53 | { |
||
54 | return Collection::make($headers)->first(function ($values, $header) { |
||
55 | return strtolower($header) === 'content-length'; |
||
56 | }); |
||
57 | } |
||
58 | |||
59 | public function onMessage(ConnectionInterface $from, $msg) |
||
60 | { |
||
61 | $this->requestBuffer .= $msg; |
||
62 | |||
63 | $this->checkContentLength(); |
||
64 | } |
||
65 | |||
66 | protected function checkContentLength(ConnectionInterface $connection) |
||
67 | { |
||
68 | if (strlen($this->requestBuffer) === $this->contentLength) { |
||
69 | $serverRequest = (new ServerRequest( |
||
70 | $this->request->getMethod(), |
||
71 | $this->request->getUri(), |
||
72 | $this->request->getHeaders(), |
||
73 | $this->requestBuffer, |
||
74 | $this->request->getProtocolVersion() |
||
75 | ))->withQueryParams(QueryParameters::create($this->request)->all()); |
||
76 | |||
77 | $laravelRequest = Request::createFromBase((new HttpFoundationFactory)->createRequest($serverRequest)); |
||
78 | |||
79 | $this |
||
80 | ->ensureValidAppId($laravelRequest->appId) |
||
81 | ->ensureValidSignature($laravelRequest); |
||
82 | |||
83 | $response = $this($laravelRequest); |
||
84 | |||
85 | $connection->send(JsonResponse::create($response)); |
||
86 | $connection->close(); |
||
87 | } |
||
88 | } |
||
89 | |||
90 | public function onClose(ConnectionInterface $connection) |
||
91 | { |
||
92 | } |
||
93 | |||
94 | public function onError(ConnectionInterface $connection, Exception $exception) |
||
95 | { |
||
96 | if (! $exception instanceof HttpException) { |
||
97 | return; |
||
98 | } |
||
99 | |||
100 | $response = new Response($exception->getStatusCode(), [ |
||
101 | 'Content-Type' => 'application/json', |
||
102 | ], json_encode([ |
||
103 | 'error' => $exception->getMessage(), |
||
104 | ])); |
||
105 | |||
106 | $connection->send(\GuzzleHttp\Psr7\str($response)); |
||
107 | |||
108 | $connection->close(); |
||
109 | } |
||
110 | |||
111 | public function ensureValidAppId(string $appId) |
||
112 | { |
||
113 | if (! App::findById($appId)) { |
||
114 | throw new HttpException(401, "Unknown app id `{$appId}` provided."); |
||
115 | } |
||
116 | |||
117 | return $this; |
||
118 | } |
||
119 | |||
120 | protected function ensureValidSignature(Request $request) |
||
121 | { |
||
122 | /* |
||
123 | * The `auth_signature` & `body_md5` parameters are not included when calculating the `auth_signature` value. |
||
124 | * |
||
125 | * The `appId`, `appKey` & `channelName` parameters are actually route paramaters and are never supplied by the client. |
||
126 | */ |
||
127 | $params = Arr::except($request->query(), ['auth_signature', 'body_md5', 'appId', 'appKey', 'channelName']); |
||
0 ignored issues
–
show
|
|||
128 | |||
129 | if ($request->getContent() !== '') { |
||
130 | $params['body_md5'] = md5($request->getContent()); |
||
131 | } |
||
132 | |||
133 | ksort($params); |
||
134 | |||
135 | $signature = "{$request->getMethod()}\n/{$request->path()}\n".Pusher::array_implode('=', '&', $params); |
||
136 | |||
137 | $authSignature = hash_hmac('sha256', $signature, App::findById($request->get('appId'))->secret); |
||
138 | |||
139 | if ($authSignature !== $request->get('auth_signature')) { |
||
140 | throw new HttpException(401, 'Invalid auth signature provided.'); |
||
141 | } |
||
142 | |||
143 | return $this; |
||
144 | } |
||
145 | |||
146 | abstract public function __invoke(Request $request); |
||
147 | } |
||
148 |
This check looks at variables that are passed out again to other methods.
If the outgoing method call has stricter type requirements than the method itself, an issue is raised.
An additional type check may prevent trouble.