CSRF Token + small fixes

core/Objects/Session.class.php

@@ -19,15 +19,17 @@ class Session extends ApiObject {
   private ?string $os;
   private ?string $browser;
   private bool $stayLoggedIn;
+  private string $csrfToken;
 
-  public function __construct(User $user, ?int $sessionId) {
+  public function __construct(User $user, ?int $sessionId, ?string $csrfToken) {
     $this->user = $user;
     $this->sessionId = $sessionId;
     $this->stayLoggedIn = true;
+    $this->csrfToken = $csrfToken ?? generateRandomString(16);
   }
 
   public static function create($user, $stayLoggedIn) {
-    $session = new Session($user, null);
+    $session = new Session($user, null, null);
     if($session->insert($stayLoggedIn)) {
       return $session;
     }
@@ -85,6 +87,7 @@ class Session extends ApiObject {
       'ipAddress' => $this->ipAddress,
       'os' => $this->os,
       'browser' => $this->browser,
+      'csrf_token' => $this->csrfToken
     );
   }
 
@@ -93,7 +96,7 @@ class Session extends ApiObject {
     $sql = $this->user->getSQL();
 
     $minutes = Session::DURATION;
-    $columns = array("expires", "user_id", "ipAddress", "os", "browser", "data", "stay_logged_in");
+    $columns = array("expires", "user_id", "ipAddress", "os", "browser", "data", "stay_logged_in", "csrf_token");
 
     $success = $sql
       ->insert("Session", $columns)
@@ -104,7 +107,8 @@ class Session extends ApiObject {
         $this->os,
         $this->browser,
         json_encode($_SESSION),
-        $stayLoggedIn)
+        $stayLoggedIn,
+        $this->csrfToken)
       ->returning("uid")
       ->execute();
 
@@ -135,8 +139,13 @@ class Session extends ApiObject {
       ->set("Session.os", $this->os)
       ->set("Session.browser", $this->browser)
       ->set("Session.data", json_encode($_SESSION))
+      ->set("Session.csrf_token", $this->csrfToken)
       ->where(new Compare("Session.uid", $this->sessionId))
       ->where(new Compare("Session.user_id", $this->user->getId()))
       ->execute();
   }
+
+  public function getCsrfToken(): string {
+    return $this->csrfToken;
+  }
 }

core/Objects/User.class.php

@@ -71,12 +71,19 @@ class User extends ApiObject {
   }
 
   public function jsonSerialize() {
-    return array(
-      'uid' => $this->uid,
-      'name' => $this->username,
-      'language' => $this->language,
-      'session' => $this->session,
-    );
+    if ($this->isLoggedIn()) {
+      return array(
+        'uid' => $this->uid,
+        'name' => $this->username,
+        'groups' => $this->groups,
+        'language' => $this->language->jsonSerialize(),
+        'session' => $this->session->jsonSerialize(),
+      );
+    } else {
+      return array(
+         'language' => $this->language->jsonSerialize(),
+      );
+    }
   }
 
   private function reset() {
@@ -116,7 +123,7 @@ class User extends ApiObject {
   public function readData($userId, $sessionId, $sessionUpdate = true) {
 
     $res = $this->sql->select("User.name", "Language.uid as langId", "Language.code as langCode", "Language.name as langName",
-        "Session.data", "Session.stay_logged_in", "Group.uid as groupId", "Group.name as groupName")
+        "Session.data", "Session.stay_logged_in", "Session.csrf_token", "Group.uid as groupId", "Group.name as groupName")
         ->from("User")
         ->innerJoin("Session", "Session.user_id", "User.uid")
         ->leftJoin("Language", "User.language_id", "Language.uid")
@@ -134,9 +141,10 @@ class User extends ApiObject {
         $success = false;
       } else {
         $row = $res[0];
+        $csrfToken = $row["csrf_token"];
         $this->username = $row['name'];
         $this->uid = $userId;
-        $this->session = new Session($this, $sessionId);
+        $this->session = new Session($this, $sessionId, $csrfToken);
         $this->session->setData(json_decode($row["data"] ?? '{}'));
         $this->session->stayLoggedIn($row["stay_logged_in"]);
         if($sessionUpdate) $this->session->update();