Hash UserTokens for security improvement

This commit is contained in:
Roman 2024-12-27 13:02:39 +01:00
parent caab707a17
commit 771fc8675f
10 changed files with 767 additions and 272 deletions

@ -167,7 +167,7 @@ namespace Core\API\GpgKey {
$currentUser = $this->context->getUser(); $currentUser = $this->context->getUser();
$gpgKey = $currentUser->getGPG(); $gpgKey = $currentUser->getGPG();
if (!$gpgKey) { if (!$gpgKey) {
return $this->createError("You have not added a GPG key yet."); return $this->createError("You have not added a GPG key yet");
} else if ($gpgKey->isConfirmed()) { } else if ($gpgKey->isConfirmed()) {
return $this->createError("Your GPG key is already confirmed"); return $this->createError("Your GPG key is already confirmed");
} }
@ -176,7 +176,7 @@ namespace Core\API\GpgKey {
$sql = $this->context->getSQL(); $sql = $this->context->getSQL();
$userToken = UserToken::findBy(UserToken::createBuilder($sql, true) $userToken = UserToken::findBy(UserToken::createBuilder($sql, true)
->whereEq("token", $token) ->whereEq("token", hash("sha512", $token, false))
->where(new Compare("valid_until", $sql->now(), ">=")) ->where(new Compare("valid_until", $sql->now(), ">="))
->whereEq("user_id", $currentUser->getId()) ->whereEq("user_id", $currentUser->getId())
->whereEq("token_type", UserToken::TYPE_GPG_CONFIRM)); ->whereEq("token_type", UserToken::TYPE_GPG_CONFIRM));
@ -186,7 +186,7 @@ namespace Core\API\GpgKey {
return $this->createError("Invalid token"); return $this->createError("Invalid token");
} else { } else {
if (!$gpgKey->confirm($sql)) { if (!$gpgKey->confirm($sql)) {
return $this->createError("Error updating gpg key: " . $sql->getLastError()); return $this->createError("Error updating GPG key: " . $sql->getLastError());
} }
$userToken->invalidate($sql); $userToken->invalidate($sql);

@ -124,7 +124,7 @@ namespace Core\API {
protected function checkToken(string $token) : UserToken|bool { protected function checkToken(string $token) : UserToken|bool {
$sql = $this->context->getSQL(); $sql = $this->context->getSQL();
$userToken = UserToken::findBy(UserToken::createBuilder($sql, true) $userToken = UserToken::findBy(UserToken::createBuilder($sql, true)
->whereEq("UserToken.token", $token) ->whereEq("UserToken.token", hash("sha512", $token, false))
->whereGt("UserToken.valid_until", $sql->now()) ->whereGt("UserToken.valid_until", $sql->now())
->whereFalse("UserToken.used") ->whereFalse("UserToken.used")
->fetchEntities()); ->fetchEntities());
@ -157,6 +157,7 @@ namespace Core\API\User {
use Core\Driver\SQL\Condition\CondOr; use Core\Driver\SQL\Condition\CondOr;
use Core\Driver\SQL\Expression\Alias; use Core\Driver\SQL\Expression\Alias;
use Core\Objects\DatabaseEntity\Group; use Core\Objects\DatabaseEntity\Group;
use Core\Objects\DatabaseEntity\Session;
use Core\Objects\DatabaseEntity\UserToken; use Core\Objects\DatabaseEntity\UserToken;
use Core\Driver\SQL\Column\Column; use Core\Driver\SQL\Column\Column;
use Core\Driver\SQL\Condition\Compare; use Core\Driver\SQL\Condition\Compare;
@ -727,6 +728,7 @@ namespace Core\API\User {
return $this->createError("You are not logged in."); return $this->createError("You are not logged in.");
} }
session_destroy();
$this->success = $session->destroy(); $this->success = $session->destroy();
$this->lastError = $this->context->getSQL()->getLastError(); $this->lastError = $this->context->getSQL()->getLastError();
return $this->success; return $this->success;
@ -1153,23 +1155,11 @@ namespace Core\API\User {
return true; return true;
} }
$userToken = UserToken::findBy(UserToken::createBuilder($sql, true)
->whereFalse("used")
->whereEq("token_type", UserToken::TYPE_EMAIL_CONFIRM)
->whereEq("user_id", $user->getId()));
$validHours = 48; $validHours = 48;
if ($userToken === false) { $token = generateRandomString(36);
return $this->createError("Error retrieving token details: " . $sql->getLastError()); $userToken = new UserToken($user, $token, UserToken::TYPE_EMAIL_CONFIRM, $validHours);
} else if ($userToken === null) { if (!$userToken->save($sql)) {
// no token generated yet, let's generate one return $this->createError("Error generating new token: " . $sql->getLastError());
$token = generateRandomString(36);
$userToken = new UserToken($user, $token, UserToken::TYPE_EMAIL_CONFIRM, $validHours);
if (!$userToken->save($sql)) {
return $this->createError("Error generating new token: " . $sql->getLastError());
}
} else {
$userToken->updateDurability($sql, $validHours);
} }
$username = $user->name; $username = $user->name;
@ -1180,7 +1170,7 @@ namespace Core\API\User {
$this->success = $req->execute([ $this->success = $req->execute([
"file" => "mail/confirm_email.twig", "file" => "mail/confirm_email.twig",
"parameters" => [ "parameters" => [
"link" => "$baseUrl/confirmEmail?token=" . $userToken->getToken(), "link" => "$baseUrl/confirmEmail?token=" . $token,
"site_name" => $siteName, "site_name" => $siteName,
"base_url" => $baseUrl, "base_url" => $baseUrl,
"username" => $username, "username" => $username,
@ -1495,4 +1485,90 @@ namespace Core\API\User {
return "Allows users to validate a token received in an e-mail for various purposes"; return "Allows users to validate a token received in an e-mail for various purposes";
} }
} }
class GetSessions extends UserAPI {
public function __construct(Context $context, bool $externalCall = false) {
parent::__construct($context, $externalCall, [
"active" => new Parameter("active", Parameter::TYPE_BOOLEAN, true, true)
]);
$this->loginRequired = true;
}
protected function _execute(): bool {
$sql = $this->context->getSQL();
$currentUser = $this->context->getUser();
$activeOnly = $this->getParam("active");
$query = Session::createBuilder($sql, false)
->whereEq("user_id", $currentUser->getId());
if ($activeOnly) {
$query->whereTrue("active")
->whereGt("expires", $sql->now());
}
$sessions = Session::findBy($query);
if ($sessions === false) {
return $this->createError("Error fetching sessions:" . $sql->getLastError());
}
$this->result["sessions"] = Session::toJsonArray($sessions, [
"id", "expires", "ipAddress", "os", "browser", "lastOnline"
]);
return true;
}
public static function getDescription(): string {
return "Shows logged-in sessions for a users account";
}
public static function getDefaultPermittedGroups(): array {
return [];
}
}
class DestroySession extends UserAPI {
public function __construct(Context $context, bool $externalCall = false) {
parent::__construct($context, $externalCall, [
"id" => new Parameter("id", Parameter::TYPE_INT)
]);
$this->loginRequired = true;
}
protected function _execute(): bool {
$sql = $this->context->getSQL();
$id = $this->getParam("id");
$currentUser = $this->context->getUser();
$query = Session::createBuilder($sql, true)
->whereEq("id", $id)
->whereEq("user_id", $currentUser->getId());
$session = Session::findBy($query);
if ($session === false) {
return $this->createError("Error fetching session:" . $sql->getLastError());
} else if ($session === null) {
return $this->createError("Invalid session");
}
$session->destroy();
if ($session->getId() === $this->context->getSession()->getId()) {
session_destroy();
}
return true;
}
public static function getDescription(): string {
return "Terminates a given user session";
}
public static function getDefaultPermittedGroups(): array {
return [];
}
}
} }

@ -0,0 +1,17 @@
<?php
use Core\Driver\SQL\Column\Column;
use Core\Driver\SQL\Column\StringColumn;
use Core\Driver\SQL\Expression\Hash;
use Core\Objects\DatabaseEntity\UserToken;
$handler = UserToken::getHandler($sql);
$columnSize = 512 / 8 * 2; // sha512 as hex
$tokenTable = $handler->getTableName();
$tokenColumn = $handler->getColumnName("token");
$queries[] = $sql->alterTable($tokenTable)
->modify(new StringColumn($tokenColumn, $columnSize));
$queries[] = $sql->update($tokenTable)
->set($tokenColumn, new Hash(Hash::SHA_512, new Column($tokenColumn)));

@ -0,0 +1,9 @@
<?php
use Core\Driver\SQL\Column\DateTimeColumn;
use Core\Driver\SQL\Expression\CurrentTimeStamp;
use Core\Objects\DatabaseEntity\Session;
$handler = Session::getHandler($sql);
$queries[] = $sql->alterTable($handler->getTableName())
->add(new DateTimeColumn($handler->getColumnName("lastOnline"), false, new CurrentTimeStamp()));

@ -0,0 +1,44 @@
<?php
namespace Core\Driver\SQL\Expression;
use Core\Driver\SQL\MySQL;
use Core\Driver\SQL\PostgreSQL;
use Core\Driver\SQL\SQL;
class Hash extends Expression {
const SHA_128 = 0;
const SHA_256 = 1;
const SHA_512 = 2;
private int $hashType;
private mixed $value;
public function __construct(int $hashType, mixed $value) {
$this->hashType = $hashType;
$this->value = $value;
}
function getExpression(SQL $sql, array &$params): string {
if ($sql instanceof MySQL) {
$val = $sql->addValue($this->value, $params);
return match ($this->hashType) {
self::SHA_128 => "SHA2($val, 128)",
self::SHA_256 => "SHA2($val, 256)",
self::SHA_512 => "SHA2($val, 512)",
default => throw new \Exception("HASH() not implemented for hash type: " . $this->hashType),
};
} elseif ($sql instanceof PostgreSQL) {
$val = $sql->addValue($this->value, $params);
return match ($this->hashType) {
self::SHA_128 => "digest($val, 'sha128')",
self::SHA_256 => "digest($val, 'sha256')",
self::SHA_512 => "digest($val, 'sha512')",
default => throw new \Exception("HASH() not implemented for hash type: " . $this->hashType),
};
} else {
throw new \Exception("HASH() not implemented for driver type: " . get_class($sql));
}
}
}

@ -6,7 +6,8 @@
"christian-riesen/base32": "^1.6", "christian-riesen/base32": "^1.6",
"spomky-labs/cbor-php": "^3.0", "spomky-labs/cbor-php": "^3.0",
"web-auth/cose-lib": "^4.0", "web-auth/cose-lib": "^4.0",
"html2text/html2text": "^4.3" "html2text/html2text": "^4.3",
"geoip2/geoip2": "~2.0"
}, },
"require-dev": { "require-dev": {
"phpunit/phpunit": "^9.6" "phpunit/phpunit": "^9.6"

824
Core/External/composer.lock generated vendored

File diff suppressed because it is too large Load Diff

@ -2,6 +2,7 @@
namespace Core\Objects\DatabaseEntity; namespace Core\Objects\DatabaseEntity;
use Core\Driver\SQL\Expression\CurrentTimeStamp;
use DateTime; use DateTime;
use Exception; use Exception;
use Core\Objects\Context; use Core\Objects\Context;
@ -20,6 +21,7 @@ class Session extends DatabaseEntity {
private User $user; private User $user;
private DateTime $expires; private DateTime $expires;
#[MaxLength(45)] private string $ipAddress; #[MaxLength(45)] private string $ipAddress;
#[MaxLength(36)] protected string $uuid; #[MaxLength(36)] protected string $uuid;
#[DefaultValue(true)] private bool $active; #[DefaultValue(true)] private bool $active;
#[MaxLength(64)] private ?string $os; #[MaxLength(64)] private ?string $os;
@ -28,6 +30,9 @@ class Session extends DatabaseEntity {
#[MaxLength(16)] private string $csrfToken; #[MaxLength(16)] private string $csrfToken;
#[Json] private mixed $data; #[Json] private mixed $data;
#[DefaultValue(CurrentTimeStamp::class)]
private DateTime $lastOnline;
public function __construct(Context $context, User $user, ?string $csrfToken = null) { public function __construct(Context $context, User $user, ?string $csrfToken = null) {
parent::__construct(); parent::__construct();
$this->context = $context; $this->context = $context;
@ -81,7 +86,7 @@ class Session extends DatabaseEntity {
$userAgent = @get_browser($_SERVER['HTTP_USER_AGENT'], true); $userAgent = @get_browser($_SERVER['HTTP_USER_AGENT'], true);
$this->os = $userAgent['platform'] ?? "Unknown"; $this->os = $userAgent['platform'] ?? "Unknown";
$this->browser = $userAgent['parent'] ?? "Unknown"; $this->browser = $userAgent['parent'] ?? "Unknown";
} catch (Exception $ex) { } catch (Exception) {
$this->os = "Unknown"; $this->os = "Unknown";
$this->browser = "Unknown"; $this->browser = "Unknown";
} }
@ -112,7 +117,6 @@ class Session extends DatabaseEntity {
} }
public function destroy(): bool { public function destroy(): bool {
session_destroy();
$this->active = false; $this->active = false;
return $this->save($this->context->getSQL(), ["active"]); return $this->save($this->context->getSQL(), ["active"]);
} }
@ -120,6 +124,7 @@ class Session extends DatabaseEntity {
public function update(): bool { public function update(): bool {
$this->updateMetaData(); $this->updateMetaData();
$this->lastOnline = new DateTime();
$this->expires = (new DateTime())->modify(sprintf("+%d second", Session::DURATION)); $this->expires = (new DateTime())->modify(sprintf("+%d second", Session::DURATION));
$this->data = json_encode($_SESSION ?? []); $this->data = json_encode($_SESSION ?? []);

@ -21,7 +21,7 @@ class UserToken extends DatabaseEntity {
self::TYPE_INVITE, self::TYPE_GPG_CONFIRM self::TYPE_INVITE, self::TYPE_GPG_CONFIRM
]; ];
#[MaxLength(36)] #[MaxLength(128)]
#[Visibility(Visibility::NONE)] #[Visibility(Visibility::NONE)]
private string $token; private string $token;
@ -37,7 +37,7 @@ class UserToken extends DatabaseEntity {
public function __construct(User $user, string $token, string $type, int $validHours) { public function __construct(User $user, string $token, string $type, int $validHours) {
parent::__construct(); parent::__construct();
$this->user = $user; $this->user = $user;
$this->token = $token; $this->token = hash("sha512", $token, false);
$this->tokenType = $type; $this->tokenType = $type;
$this->validUntil = (new \DateTime())->modify("+$validHours HOUR"); $this->validUntil = (new \DateTime())->modify("+$validHours HOUR");
$this->used = false; $this->used = false;
@ -55,13 +55,4 @@ class UserToken extends DatabaseEntity {
public function getUser(): User { public function getUser(): User {
return $this->user; return $this->user;
} }
public function updateDurability(SQL $sql, int $validHours): bool {
$this->validUntil = (new \DateTime())->modify("+$validHours HOURS");
return $this->save($sql, ["validUntil"]);
}
public function getToken(): string {
return $this->token;
}
} }

@ -10,7 +10,7 @@ if (is_file($autoLoad)) {
require_once $autoLoad; require_once $autoLoad;
} }
const WEBBASE_VERSION = "2.4.4"; const WEBBASE_VERSION = "2.4.5";
spl_autoload_extensions(".php"); spl_autoload_extensions(".php");
spl_autoload_register(function ($class) { spl_autoload_register(function ($class) {