consolidate POST session validation.

This commit is contained in:
Greg Sarjeant 2025-06-15 15:10:03 -04:00
parent 9c68f70ccc
commit bc483294ce
5 changed files with 30 additions and 21 deletions

View File

@ -36,6 +36,8 @@ $db = get_db();
$config = ConfigModel::load();
$user = UserModel::load();
// Start a session and generate a CSRF Token
// if there isn't already an active session
Session::start();
Session::generateCsrfToken();
@ -47,6 +49,24 @@ if (strpos($path, $config->basePath) === 0) {
// strip the trailing slash from the resulting route
$path = trim($path, '/');
// if this is a POST, make sure there's a valid session
// if not, redirect to /login or die as appropriate
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
if ($path != 'login'){
if (!Session::isValid($_POST['csrf_token'])) {
// Invalid session - redirect to /login
header('Location: ' . $config->basePath . '/login');
exit;
}
} else {
if (!Session::isvalidCsrfToken($_POST['csrf_token'])) {
// Just die if the token is invalid on login
die('Invalid CSRF token');
exit;
}
}
}
// Set content type
header('Content-Type: text/html; charset=utf-8');

View File

@ -19,10 +19,6 @@ class AuthController extends Controller {
$error = '';
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
if (!Session::validateCsrfToken($_POST['csrf_token'])) {
die('Invalid CSRF token');
}
$username = $_POST['username'] ?? '';
$password = $_POST['password'] ?? '';

View File

@ -27,12 +27,6 @@ class HomeController extends Controller {
// Saves the tick and reloads the homepage
public function handleTick(){
if ($_SERVER['REQUEST_METHOD'] === 'POST' and isset($_POST['tick'])) {
// ensure that the session is valid before proceeding
if (!Session::validateCsrfToken($_POST['csrf_token'])) {
// TODO: maybe redirect to login? Maybe with tick preserved?
die('Invalid CSRF token');
}
// save the tick
if (trim($_POST['tick'])){
TickModel::save($_POST['tick']);

View File

@ -17,11 +17,6 @@
public function handlePost(){
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
// ensure that the session is valid before proceeding
if (!Session::validateCsrfToken($_POST['csrf_token'])) {
die('Invalid CSRF token');
}
// Get the data we need
global $config;
global $user;

View File

@ -16,20 +16,24 @@ class Session {
}
}
public static function validateCsrfToken($token): bool{
return hash_equals($_SESSION['csrf_token'], $token);
}
public static function getCsrfToken(): string{
return $_SESSION['csrf_token'];
}
public static function isValidCsrfToken($token): bool{
return hash_equals($_SESSION['csrf_token'], $token);
}
public static function isLoggedIn(): bool {
//echo "UserModel ID set: ". isset($_SESSION['user_id']). "<br/>";
//exit;
return isset($_SESSION['user_id']);
}
// A session is valid if the user is logged in and has a valid csrf token
// Test this before processing POST requests
public static function isValid(string $token): bool {
return self::isLoggedIn() && self::isValidCsrfToken($token);
}
public static function end(): void {
$_SESSION = [];
session_destroy();