CSRF Token + small fixes
This commit is contained in:
parent
8fc0b4bb05
commit
f87fdc83ae
@ -9,6 +9,7 @@ class Create extends Request {
|
||||
public function __construct($user, $externalCall = false) {
|
||||
parent::__construct($user, $externalCall, array());
|
||||
$this->apiKeyAllowed = false;
|
||||
$this->csrfTokenRequired = true;
|
||||
$this->loginRequired = true;
|
||||
}
|
||||
|
||||
|
@ -12,6 +12,7 @@ class Fetch extends Request {
|
||||
public function __construct($user, $externalCall = false) {
|
||||
parent::__construct($user, $externalCall, array());
|
||||
$this->loginRequired = true;
|
||||
$this->csrfTokenRequired = true;
|
||||
}
|
||||
|
||||
public function execute($values = array()) {
|
||||
|
@ -13,6 +13,7 @@ class Refresh extends Request {
|
||||
"id" => new Parameter("id", Parameter::TYPE_INT),
|
||||
));
|
||||
$this->loginRequired = true;
|
||||
$this->csrfTokenRequired = true;
|
||||
}
|
||||
|
||||
private function apiKeyExists() {
|
||||
|
@ -13,6 +13,7 @@ class Revoke extends Request {
|
||||
"id" => new Parameter("id", Parameter::TYPE_INT),
|
||||
));
|
||||
$this->loginRequired = true;
|
||||
$this->csrfTokenRequired = true;
|
||||
}
|
||||
|
||||
private function apiKeyExists() {
|
||||
|
@ -17,6 +17,7 @@ class Create extends Request {
|
||||
'message' => new StringType('message', 256),
|
||||
));
|
||||
$this->isPublic = false;
|
||||
$this->csrfTokenRequired = true;
|
||||
}
|
||||
|
||||
private function checkUser($userId) {
|
||||
|
@ -12,6 +12,7 @@ class Fetch extends Request {
|
||||
public function __construct($user, $externalCall = false) {
|
||||
parent::__construct($user, $externalCall, array());
|
||||
$this->loginRequired = true;
|
||||
$this->csrfTokenRequired = true;
|
||||
}
|
||||
|
||||
private function fetchUserNotifications() {
|
||||
|
@ -17,6 +17,7 @@ class Request {
|
||||
protected bool $isDisabled;
|
||||
protected bool $apiKeyAllowed;
|
||||
protected int $requiredGroup;
|
||||
protected bool $csrfTokenRequired;
|
||||
|
||||
private array $aDefaultParams;
|
||||
private array $allowedMethods;
|
||||
@ -37,6 +38,7 @@ class Request {
|
||||
$this->allowedMethods = array("GET", "POST");
|
||||
$this->requiredGroup = 0;
|
||||
$this->lastError = "";
|
||||
$this->csrfTokenRequired = false;
|
||||
}
|
||||
|
||||
protected function forbidMethod($method) {
|
||||
@ -111,13 +113,13 @@ class Request {
|
||||
}
|
||||
|
||||
if($this->loginRequired || $this->requiredGroup > 0) {
|
||||
$authorized = false;
|
||||
$apiKeyAuthorized = false;
|
||||
if(isset($values['api_key']) && $this->apiKeyAllowed) {
|
||||
$apiKey = $values['api_key'];
|
||||
$authorized = $this->user->authorize($apiKey);
|
||||
$apiKeyAuthorized = $this->user->authorize($apiKey);
|
||||
}
|
||||
|
||||
if(!$this->user->isLoggedIn() && !$authorized) {
|
||||
if(!$this->user->isLoggedIn() && !$apiKeyAuthorized) {
|
||||
$this->lastError = 'You are not logged in.';
|
||||
header('HTTP 1.1 401 Unauthorized');
|
||||
return false;
|
||||
@ -125,6 +127,14 @@ class Request {
|
||||
$this->lastError = "Insufficient permissions. Required group: ". GroupName($this->requiredGroup);
|
||||
header('HTTP 1.1 401 Unauthorized');
|
||||
return false;
|
||||
} else if($this->csrfTokenRequired && !$apiKeyAuthorized && $this->externalCall) {
|
||||
// csrf token required + external call
|
||||
// if it's not a call with API_KEY, check for csrf_token
|
||||
if (!isset($values["csrf_token"]) || strcmp($values["csrf_token"], $this->user->getSession()->getCsrfToken()) !== 0) {
|
||||
$this->lastError = "CSRF-Token mismatch";
|
||||
header('HTTP 1.1 403 Forbidden');
|
||||
return false;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -17,6 +17,7 @@ class SetLanguage extends Request {
|
||||
'langId' => new Parameter('langId', Parameter::TYPE_INT, true, NULL),
|
||||
'langCode' => new StringType('langCode', 5, true, NULL),
|
||||
));
|
||||
$this->csrfTokenRequired = true;
|
||||
}
|
||||
|
||||
private function checkLanguage() {
|
||||
|
@ -20,6 +20,7 @@ class Fetch extends Request {
|
||||
$this->loginRequired = true;
|
||||
$this->requiredGroup = USER_GROUP_ADMIN;
|
||||
$this->userCount = 0;
|
||||
$this->csrfTokenRequired = true;
|
||||
}
|
||||
|
||||
private function getUserCount() {
|
||||
|
28
core/Api/User/Info.class.php
Normal file
28
core/Api/User/Info.class.php
Normal file
@ -0,0 +1,28 @@
|
||||
<?php
|
||||
|
||||
namespace Api\User;
|
||||
|
||||
use \Api\Request;
|
||||
|
||||
class Info extends Request {
|
||||
|
||||
public function __construct($user, $externalCall = false) {
|
||||
parent::__construct($user, $externalCall, array());
|
||||
$this->csrfTokenRequired = true;
|
||||
}
|
||||
|
||||
public function execute($values = array()) {
|
||||
if(!parent::execute($values)) {
|
||||
return false;
|
||||
}
|
||||
|
||||
if (!$this->user->isLoggedIn()) {
|
||||
$this->result["loggedIn"] = false;
|
||||
} else {
|
||||
$this->result["loggedIn"] = true;
|
||||
}
|
||||
|
||||
$this->result["user"] = $this->user->jsonSerialize();
|
||||
return $this->success;
|
||||
}
|
||||
}
|
@ -65,6 +65,7 @@ class Login extends Request {
|
||||
if(!($this->success = $this->user->createSession($uid, $stayLoggedIn))) {
|
||||
return $this->createError("Error creating Session: " . $sql->getLastError());
|
||||
} else {
|
||||
$this->result["loggedIn"] = true;
|
||||
$this->result['logoutIn'] = $this->user->getSession()->getExpiresSeconds();
|
||||
$this->success = true;
|
||||
}
|
||||
|
@ -10,6 +10,7 @@ class Logout extends Request {
|
||||
parent::__construct($user, $externalCall);
|
||||
$this->loginRequired = true;
|
||||
$this->apiKeyAllowed = false;
|
||||
$this->csrfTokenRequired = true;
|
||||
}
|
||||
|
||||
public function execute($values = array()) {
|
||||
|
@ -47,6 +47,7 @@ class CreateDatabase {
|
||||
->addString("browser", 64)
|
||||
->addJson("data", false, '{}')
|
||||
->addBool("stay_logged_in", true)
|
||||
->addString("csrf_token", 16 )
|
||||
->primaryKey("uid", "user_id")
|
||||
->foreignKey("user_id", "User", "uid", new CascadeStrategy());
|
||||
|
||||
|
@ -6,4 +6,6 @@ abstract class StaticView {
|
||||
|
||||
public abstract function getCode();
|
||||
|
||||
public function __toString() { return $this->getCode(); }
|
||||
|
||||
}
|
@ -21,7 +21,6 @@ abstract class View extends StaticView {
|
||||
}
|
||||
|
||||
public function getTitle() { return $this->title; }
|
||||
public function __toString() { return $this->getCode(); }
|
||||
public function getDocument() { return $this->document; }
|
||||
public function isSearchable() { return $this->searchable; }
|
||||
public function getReference() { return $this->reference; }
|
||||
|
@ -19,15 +19,17 @@ class Session extends ApiObject {
|
||||
private ?string $os;
|
||||
private ?string $browser;
|
||||
private bool $stayLoggedIn;
|
||||
private string $csrfToken;
|
||||
|
||||
public function __construct(User $user, ?int $sessionId) {
|
||||
public function __construct(User $user, ?int $sessionId, ?string $csrfToken) {
|
||||
$this->user = $user;
|
||||
$this->sessionId = $sessionId;
|
||||
$this->stayLoggedIn = true;
|
||||
$this->csrfToken = $csrfToken ?? generateRandomString(16);
|
||||
}
|
||||
|
||||
public static function create($user, $stayLoggedIn) {
|
||||
$session = new Session($user, null);
|
||||
$session = new Session($user, null, null);
|
||||
if($session->insert($stayLoggedIn)) {
|
||||
return $session;
|
||||
}
|
||||
@ -85,6 +87,7 @@ class Session extends ApiObject {
|
||||
'ipAddress' => $this->ipAddress,
|
||||
'os' => $this->os,
|
||||
'browser' => $this->browser,
|
||||
'csrf_token' => $this->csrfToken
|
||||
);
|
||||
}
|
||||
|
||||
@ -93,7 +96,7 @@ class Session extends ApiObject {
|
||||
$sql = $this->user->getSQL();
|
||||
|
||||
$minutes = Session::DURATION;
|
||||
$columns = array("expires", "user_id", "ipAddress", "os", "browser", "data", "stay_logged_in");
|
||||
$columns = array("expires", "user_id", "ipAddress", "os", "browser", "data", "stay_logged_in", "csrf_token");
|
||||
|
||||
$success = $sql
|
||||
->insert("Session", $columns)
|
||||
@ -104,7 +107,8 @@ class Session extends ApiObject {
|
||||
$this->os,
|
||||
$this->browser,
|
||||
json_encode($_SESSION),
|
||||
$stayLoggedIn)
|
||||
$stayLoggedIn,
|
||||
$this->csrfToken)
|
||||
->returning("uid")
|
||||
->execute();
|
||||
|
||||
@ -135,8 +139,13 @@ class Session extends ApiObject {
|
||||
->set("Session.os", $this->os)
|
||||
->set("Session.browser", $this->browser)
|
||||
->set("Session.data", json_encode($_SESSION))
|
||||
->set("Session.csrf_token", $this->csrfToken)
|
||||
->where(new Compare("Session.uid", $this->sessionId))
|
||||
->where(new Compare("Session.user_id", $this->user->getId()))
|
||||
->execute();
|
||||
}
|
||||
|
||||
public function getCsrfToken(): string {
|
||||
return $this->csrfToken;
|
||||
}
|
||||
}
|
||||
|
@ -71,12 +71,19 @@ class User extends ApiObject {
|
||||
}
|
||||
|
||||
public function jsonSerialize() {
|
||||
if ($this->isLoggedIn()) {
|
||||
return array(
|
||||
'uid' => $this->uid,
|
||||
'name' => $this->username,
|
||||
'language' => $this->language,
|
||||
'session' => $this->session,
|
||||
'groups' => $this->groups,
|
||||
'language' => $this->language->jsonSerialize(),
|
||||
'session' => $this->session->jsonSerialize(),
|
||||
);
|
||||
} else {
|
||||
return array(
|
||||
'language' => $this->language->jsonSerialize(),
|
||||
);
|
||||
}
|
||||
}
|
||||
|
||||
private function reset() {
|
||||
@ -116,7 +123,7 @@ class User extends ApiObject {
|
||||
public function readData($userId, $sessionId, $sessionUpdate = true) {
|
||||
|
||||
$res = $this->sql->select("User.name", "Language.uid as langId", "Language.code as langCode", "Language.name as langName",
|
||||
"Session.data", "Session.stay_logged_in", "Group.uid as groupId", "Group.name as groupName")
|
||||
"Session.data", "Session.stay_logged_in", "Session.csrf_token", "Group.uid as groupId", "Group.name as groupName")
|
||||
->from("User")
|
||||
->innerJoin("Session", "Session.user_id", "User.uid")
|
||||
->leftJoin("Language", "User.language_id", "Language.uid")
|
||||
@ -134,9 +141,10 @@ class User extends ApiObject {
|
||||
$success = false;
|
||||
} else {
|
||||
$row = $res[0];
|
||||
$csrfToken = $row["csrf_token"];
|
||||
$this->username = $row['name'];
|
||||
$this->uid = $userId;
|
||||
$this->session = new Session($this, $sessionId);
|
||||
$this->session = new Session($this, $sessionId, $csrfToken);
|
||||
$this->session->setData(json_decode($row["data"] ?? '{}'));
|
||||
$this->session->stayLoggedIn($row["stay_logged_in"]);
|
||||
if($sessionUpdate) $this->session->update();
|
||||
|
Loading…
Reference in New Issue
Block a user