Hash UserTokens for security improvement
This commit is contained in:
@@ -2,6 +2,7 @@
|
||||
|
||||
namespace Core\Objects\DatabaseEntity;
|
||||
|
||||
use Core\Driver\SQL\Expression\CurrentTimeStamp;
|
||||
use DateTime;
|
||||
use Exception;
|
||||
use Core\Objects\Context;
|
||||
@@ -20,6 +21,7 @@ class Session extends DatabaseEntity {
|
||||
private User $user;
|
||||
private DateTime $expires;
|
||||
#[MaxLength(45)] private string $ipAddress;
|
||||
|
||||
#[MaxLength(36)] protected string $uuid;
|
||||
#[DefaultValue(true)] private bool $active;
|
||||
#[MaxLength(64)] private ?string $os;
|
||||
@@ -28,6 +30,9 @@ class Session extends DatabaseEntity {
|
||||
#[MaxLength(16)] private string $csrfToken;
|
||||
#[Json] private mixed $data;
|
||||
|
||||
#[DefaultValue(CurrentTimeStamp::class)]
|
||||
private DateTime $lastOnline;
|
||||
|
||||
public function __construct(Context $context, User $user, ?string $csrfToken = null) {
|
||||
parent::__construct();
|
||||
$this->context = $context;
|
||||
@@ -81,7 +86,7 @@ class Session extends DatabaseEntity {
|
||||
$userAgent = @get_browser($_SERVER['HTTP_USER_AGENT'], true);
|
||||
$this->os = $userAgent['platform'] ?? "Unknown";
|
||||
$this->browser = $userAgent['parent'] ?? "Unknown";
|
||||
} catch (Exception $ex) {
|
||||
} catch (Exception) {
|
||||
$this->os = "Unknown";
|
||||
$this->browser = "Unknown";
|
||||
}
|
||||
@@ -112,7 +117,6 @@ class Session extends DatabaseEntity {
|
||||
}
|
||||
|
||||
public function destroy(): bool {
|
||||
session_destroy();
|
||||
$this->active = false;
|
||||
return $this->save($this->context->getSQL(), ["active"]);
|
||||
}
|
||||
@@ -120,6 +124,7 @@ class Session extends DatabaseEntity {
|
||||
public function update(): bool {
|
||||
$this->updateMetaData();
|
||||
|
||||
$this->lastOnline = new DateTime();
|
||||
$this->expires = (new DateTime())->modify(sprintf("+%d second", Session::DURATION));
|
||||
$this->data = json_encode($_SESSION ?? []);
|
||||
|
||||
|
||||
@@ -21,7 +21,7 @@ class UserToken extends DatabaseEntity {
|
||||
self::TYPE_INVITE, self::TYPE_GPG_CONFIRM
|
||||
];
|
||||
|
||||
#[MaxLength(36)]
|
||||
#[MaxLength(128)]
|
||||
#[Visibility(Visibility::NONE)]
|
||||
private string $token;
|
||||
|
||||
@@ -37,7 +37,7 @@ class UserToken extends DatabaseEntity {
|
||||
public function __construct(User $user, string $token, string $type, int $validHours) {
|
||||
parent::__construct();
|
||||
$this->user = $user;
|
||||
$this->token = $token;
|
||||
$this->token = hash("sha512", $token, false);
|
||||
$this->tokenType = $type;
|
||||
$this->validUntil = (new \DateTime())->modify("+$validHours HOUR");
|
||||
$this->used = false;
|
||||
@@ -55,13 +55,4 @@ class UserToken extends DatabaseEntity {
|
||||
public function getUser(): User {
|
||||
return $this->user;
|
||||
}
|
||||
|
||||
public function updateDurability(SQL $sql, int $validHours): bool {
|
||||
$this->validUntil = (new \DateTime())->modify("+$validHours HOURS");
|
||||
return $this->save($sql, ["validUntil"]);
|
||||
}
|
||||
|
||||
public function getToken(): string {
|
||||
return $this->token;
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user