These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more
1 | <?php |
||
2 | declare(strict_types=1); |
||
3 | |||
4 | namespace hiapi\Core\Http\Psr15\Middleware; |
||
5 | |||
6 | use hiapi\Core\Utils\CIDR; |
||
7 | use Psr\Http\Message\ResponseInterface; |
||
8 | use Psr\Http\Message\ServerRequestInterface; |
||
9 | use Psr\Http\Server\MiddlewareInterface; |
||
10 | use Psr\Http\Server\RequestHandlerInterface; |
||
11 | |||
12 | class UserRealIpMiddleware implements MiddlewareInterface |
||
13 | { |
||
14 | public const ATTRIBUTE_NAME = 'user-real-ip'; |
||
15 | /** |
||
16 | * @var string[] Networks than are allowed to override client IP |
||
17 | */ |
||
18 | private array $trustedNets; |
||
0 ignored issues
–
show
Bug
introduced
by
Loading history...
|
|||
19 | |||
20 | public string $ipAttribute = self::ATTRIBUTE_NAME; |
||
21 | |||
22 | public function __construct(array $trustedNets) |
||
23 | { |
||
24 | $this->trustedNets = $trustedNets; |
||
25 | } |
||
26 | |||
27 | /** |
||
28 | * @inheritDoc |
||
29 | */ |
||
30 | public function process(ServerRequestInterface $request, RequestHandlerInterface $handler): ResponseInterface |
||
31 | { |
||
32 | return $handler->handle($this->prepare($request)); |
||
33 | } |
||
34 | |||
35 | private function prepare(ServerRequestInterface $request): ServerRequestInterface |
||
36 | { |
||
37 | $oldip = $this->getIp($request); |
||
38 | $request = $request->withAttribute($this->ipAttribute, $oldip); |
||
39 | |||
40 | if (!CIDR::matchBulk($oldip, $this->trustedNets)) { |
||
41 | return $request; |
||
42 | } |
||
43 | |||
44 | $newip = $this->getNewIp($request); |
||
45 | if (empty($newip) || $newip === $oldip) { |
||
46 | return $request; |
||
47 | } |
||
48 | |||
49 | return $this->setNewIp($request, $newip); |
||
50 | } |
||
51 | |||
52 | private function getIp(ServerRequestInterface $request): string |
||
53 | { |
||
54 | return $request->getServerParams()['REMOTE_ADDR'] ?? ''; |
||
55 | } |
||
56 | |||
57 | private function getNewIp(ServerRequestInterface $request): string |
||
58 | { |
||
59 | $change = $request->getHeaderLine('X-User-Ip') ?: $this->getParam($request, 'auth_ip'); |
||
60 | |||
61 | return filter_var($change, FILTER_VALIDATE_IP) ?: ''; |
||
62 | } |
||
63 | |||
64 | private function setNewIp(ServerRequestInterface $request, string $ip) |
||
65 | { |
||
66 | /// legacy compatibility |
||
67 | unset($_REQUEST['auth_ip']); |
||
68 | $_SERVER['REMOTE_ADDR'] = $ip; |
||
69 | |||
70 | # XXX TODO withServerParams NOT DEFINED !!! |
||
71 | #$params = $request->getServerParams(); |
||
72 | #$params['REMOTE_ADDR'] = $ip; |
||
73 | #return $request->withServerParams($params); |
||
74 | |||
75 | return $request->withAttribute($this->ipAttribute, $ip); |
||
76 | } |
||
77 | |||
78 | private function getParam(ServerRequestInterface $request, string $name): ?string |
||
79 | { |
||
80 | return $request->getParsedBody()[$name] ?? $request->getQueryParams()[$name] ?? null; |
||
81 | } |
||
82 | } |
||
83 |