mirror of
https://github.com/skipperbent/simple-php-router.git
synced 2026-06-14 09:43:42 +03:00
[FEATURE] Csrf token
- Added functionality to CsrfToken class. - Added header support to Request class. - Added option to set BaseCsrfVerifier class in RouterBase and SimpleRouter.
This commit is contained in:
Simon Sessingø
@@ -3,22 +3,21 @@ namespace Pecee;
|
||||
|
||||
class CsrfToken {
|
||||
|
||||
const CSRF_KEY = 'csrf';
|
||||
const CSRF_KEY = 'XSRF-TOKEN';
|
||||
|
||||
protected $token;
|
||||
|
||||
public function __construct() {
|
||||
$this->lastToken = isset($_SESSION[self::CSRF_KEY]) ? $_SESSION[self::CSRF_KEY] : null;
|
||||
$this->currentToken = $this->generate();
|
||||
|
||||
$_COOKIE[self::CSRF_KEY] = $this->currentToken;
|
||||
if($this->getToken() === null) {
|
||||
$this->setToken($this->generateToken());
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Generate random identifier for CSRF token
|
||||
* @return string
|
||||
*/
|
||||
public static function generate() {
|
||||
public static function generateToken() {
|
||||
if (function_exists('mcrypt_create_iv')) {
|
||||
return bin2hex(mcrypt_create_iv(32, MCRYPT_DEV_URANDOM));
|
||||
}
|
||||
@@ -32,10 +31,23 @@ class CsrfToken {
|
||||
* @return bool
|
||||
*/
|
||||
public function validate($token) {
|
||||
return hash_equals($token, $this->getCurrentToken());
|
||||
if($token !== null && $this->getToken() !== null) {
|
||||
return hash_equals($token, $this->getToken());
|
||||
}
|
||||
return false;
|
||||
}
|
||||
|
||||
/**
|
||||
* Set csrf token cookie
|
||||
*
|
||||
* @param $token
|
||||
*/
|
||||
public function setToken($token) {
|
||||
setcookie(self::CSRF_KEY, $token, time() + 60 * 120, '/');
|
||||
}
|
||||
|
||||
/**
|
||||
* Get csrf token
|
||||
* @return string|null
|
||||
*/
|
||||
public function getToken(){
|
||||
|
||||
33
src/Pecee/Http/Middleware/BaseCsrfVerifier.php
Normal file
33
src/Pecee/Http/Middleware/BaseCsrfVerifier.php
Normal file
@@ -0,0 +1,33 @@
|
||||
<?php
|
||||
|
||||
namespace Pecee\Http\Middleware;
|
||||
|
||||
use Pecee\CsrfToken;
|
||||
use Pecee\Http\Request;
|
||||
use Pecee\SimpleRouter\RouterException;
|
||||
|
||||
class BaseCsrfVerifier extends Middleware {
|
||||
|
||||
const POST_KEY = 'csrf-token';
|
||||
const HEADER_KEY = 'X-CSRF-TOKEN';
|
||||
|
||||
public function handle(Request $request) {
|
||||
|
||||
if($request->getMethod() != 'get') {
|
||||
|
||||
$token = (isset($_POST[self::POST_KEY])) ? $_POST[self::POST_KEY] : null;
|
||||
|
||||
// If the token is not posted, check headers for valid x-csrf-token
|
||||
if($token === null) {
|
||||
$token = $request->getHeader(self::HEADER_KEY);
|
||||
}
|
||||
|
||||
$tokenValidator = new CsrfToken();
|
||||
if( !$tokenValidator->validate( $token ) ) {
|
||||
throw new RouterException('Invalid csrf-token.');
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
}
|
||||
}
|
||||
@@ -7,7 +7,5 @@ use Pecee\SimpleRouter\RouterEntry;
|
||||
|
||||
abstract class Middleware
|
||||
{
|
||||
public function handle(Request $request) {
|
||||
return true;
|
||||
}
|
||||
abstract function handle(Request $request);
|
||||
}
|
||||
@@ -1,9 +0,0 @@
|
||||
<?php
|
||||
|
||||
namespace Pecee\Http\Middleware;
|
||||
|
||||
class VerifyCsrfToken extends Middleware {
|
||||
|
||||
|
||||
|
||||
}
|
||||
@@ -6,11 +6,13 @@ class Request {
|
||||
protected $uri;
|
||||
protected $host;
|
||||
protected $method;
|
||||
protected $headers;
|
||||
|
||||
public function __construct() {
|
||||
$this->host = $_SERVER['HTTP_HOST'];
|
||||
$this->uri = rtrim($_SERVER['REQUEST_URI'], '/') . '/';
|
||||
$this->method = (isset($_POST['_method'])) ? strtolower($_POST['_method']) : strtolower($_SERVER['REQUEST_METHOD']);
|
||||
$this->headers = getallheaders();
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -50,4 +52,21 @@ class Request {
|
||||
return (isset($_SERVER['PHP_AUTH_PW'])) ? $_SERVER['PHP_AUTH_PW']: null;
|
||||
}
|
||||
|
||||
/**
|
||||
* Get headers
|
||||
* @return array
|
||||
*/
|
||||
public function getHeaders() {
|
||||
return $this->headers;
|
||||
}
|
||||
|
||||
/**
|
||||
* Get header value by name
|
||||
* @param string $name
|
||||
* @return string|null
|
||||
*/
|
||||
public function getHeader($name) {
|
||||
return (isset($this->headers[$name])) ? $this->headers[$name] : null;
|
||||
}
|
||||
|
||||
}
|
||||
@@ -2,6 +2,7 @@
|
||||
namespace Pecee\SimpleRouter;
|
||||
|
||||
use Pecee\ArrayUtil;
|
||||
use Pecee\Http\Middleware\BaseCsrfVerifier;
|
||||
use Pecee\Http\Request;
|
||||
use Pecee\Url;
|
||||
|
||||
@@ -17,6 +18,7 @@ class RouterBase {
|
||||
protected $backstack;
|
||||
protected $loadedRoute;
|
||||
protected $defaultNamespace;
|
||||
protected $baseCsrfVerifier;
|
||||
|
||||
// TODO: make interface for controller routers, so they can be easily detected
|
||||
// TODO: clean up - cut some of the methods down to smaller pieces
|
||||
@@ -26,6 +28,7 @@ class RouterBase {
|
||||
$this->backstack = array();
|
||||
$this->controllerUrlMap = array();
|
||||
$this->request = new Request();
|
||||
$this->baseCsrfVerifier = new BaseCsrfVerifier();
|
||||
}
|
||||
|
||||
public function addRoute(RouterEntry $route) {
|
||||
@@ -85,8 +88,16 @@ class RouterBase {
|
||||
}
|
||||
|
||||
public function routeRequest() {
|
||||
// Loop through each route-request
|
||||
|
||||
// Verify csrf token for request
|
||||
if($this->baseCsrfVerifier !== null) {
|
||||
/* @var $csrfVerifier BaseCsrfVerifier */
|
||||
$csrfVerifier = $this->baseCsrfVerifier;
|
||||
$csrfVerifier = new $csrfVerifier();
|
||||
$csrfVerifier->handle($this->request);
|
||||
}
|
||||
|
||||
// Loop through each route-request
|
||||
$this->processRoutes($this->routes);
|
||||
|
||||
// Make sure the urls is in the right order when comparing
|
||||
@@ -100,7 +111,6 @@ class RouterBase {
|
||||
foreach($this->controllerUrlMap as $route) {
|
||||
$routeMatch = $route->matchRoute($this->request);
|
||||
|
||||
|
||||
if($routeMatch && !($routeMatch instanceof RouterGroup)) {
|
||||
|
||||
if(count($route->getRequestMethods()) && !in_array($this->request->getMethod(), $route->getRequestMethods())) {
|
||||
@@ -179,6 +189,25 @@ class RouterBase {
|
||||
return $this->request;
|
||||
}
|
||||
|
||||
/**
|
||||
* Get base csrf verifier class
|
||||
* @return BaseCsrfVerifier
|
||||
*/
|
||||
public function getBaseCsrfVerifier() {
|
||||
return $this->baseCsrfVerifier;
|
||||
}
|
||||
|
||||
/**
|
||||
* Set base csrf verifier class
|
||||
*
|
||||
* @param BaseCsrfVerifier $baseCsrfVerifier
|
||||
* @return self
|
||||
*/
|
||||
public function setBaseCsrfVerifier(BaseCsrfVerifier $baseCsrfVerifier) {
|
||||
$this->baseCsrfVerifier = $baseCsrfVerifier;
|
||||
return $this;
|
||||
}
|
||||
|
||||
protected function processUrl($route, $method = null, $parameters = null, $getParams = null) {
|
||||
|
||||
$url = $route->getUrl();
|
||||
|
||||
@@ -9,14 +9,29 @@
|
||||
|
||||
namespace Pecee\SimpleRouter;
|
||||
|
||||
use Pecee\Http\Middleware\BaseCsrfVerifier;
|
||||
|
||||
class SimpleRouter {
|
||||
|
||||
/**
|
||||
* Start/route request
|
||||
* @param null $defaultNamespace
|
||||
* @throws RouterException
|
||||
*/
|
||||
public static function start($defaultNamespace = null) {
|
||||
$router = RouterBase::GetInstance();
|
||||
$router->setDefaultNamespace($defaultNamespace);
|
||||
$router->routeRequest();
|
||||
}
|
||||
|
||||
/**
|
||||
* Set base csrf verifier
|
||||
* @param BaseCsrfVerifier $baseCsrfVerifier
|
||||
*/
|
||||
public static function csrfVerifier(BaseCsrfVerifier $baseCsrfVerifier) {
|
||||
RouterBase::getInstance()->setBaseCsrfVerifier($baseCsrfVerifier);
|
||||
}
|
||||
|
||||
public static function get($url, $callback, array $settings = null) {
|
||||
$route = new RouterRoute($url, $callback);
|
||||
$route->addSettings($settings);
|
||||
|
||||
Reference in New Issue
Block a user