consolidate POST session validation.
This commit is contained in:
Greg Sarjeant
parent
9c68f70ccc
commit
bc483294ce
@ -36,6 +36,8 @@ $db = get_db();
|
||||
$config = ConfigModel::load();
|
||||
$user = UserModel::load();
|
||||
|
||||
// Start a session and generate a CSRF Token
|
||||
// if there isn't already an active session
|
||||
Session::start();
|
||||
Session::generateCsrfToken();
|
||||
|
||||
@ -47,6 +49,24 @@ if (strpos($path, $config->basePath) === 0) {
|
||||
// strip the trailing slash from the resulting route
|
||||
$path = trim($path, '/');
|
||||
|
||||
// if this is a POST, make sure there's a valid session
|
||||
// if not, redirect to /login or die as appropriate
|
||||
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
|
||||
if ($path != 'login'){
|
||||
if (!Session::isValid($_POST['csrf_token'])) {
|
||||
// Invalid session - redirect to /login
|
||||
header('Location: ' . $config->basePath . '/login');
|
||||
exit;
|
||||
}
|
||||
} else {
|
||||
if (!Session::isvalidCsrfToken($_POST['csrf_token'])) {
|
||||
// Just die if the token is invalid on login
|
||||
die('Invalid CSRF token');
|
||||
exit;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// Set content type
|
||||
header('Content-Type: text/html; charset=utf-8');
|
||||
|
||||
|
||||
@ -19,10 +19,6 @@ class AuthController extends Controller {
|
||||
$error = '';
|
||||
|
||||
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
|
||||
if (!Session::validateCsrfToken($_POST['csrf_token'])) {
|
||||
die('Invalid CSRF token');
|
||||
}
|
||||
|
||||
$username = $_POST['username'] ?? '';
|
||||
$password = $_POST['password'] ?? '';
|
||||
|
||||
|
||||
@ -27,12 +27,6 @@ class HomeController extends Controller {
|
||||
// Saves the tick and reloads the homepage
|
||||
public function handleTick(){
|
||||
if ($_SERVER['REQUEST_METHOD'] === 'POST' and isset($_POST['tick'])) {
|
||||
// ensure that the session is valid before proceeding
|
||||
if (!Session::validateCsrfToken($_POST['csrf_token'])) {
|
||||
// TODO: maybe redirect to login? Maybe with tick preserved?
|
||||
die('Invalid CSRF token');
|
||||
}
|
||||
|
||||
// save the tick
|
||||
if (trim($_POST['tick'])){
|
||||
TickModel::save($_POST['tick']);
|
||||
|
||||
@ -17,11 +17,6 @@
|
||||
|
||||
public function handlePost(){
|
||||
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
|
||||
// ensure that the session is valid before proceeding
|
||||
if (!Session::validateCsrfToken($_POST['csrf_token'])) {
|
||||
die('Invalid CSRF token');
|
||||
}
|
||||
|
||||
// Get the data we need
|
||||
global $config;
|
||||
global $user;
|
||||
|
||||
@ -16,20 +16,24 @@ class Session {
|
||||
}
|
||||
}
|
||||
|
||||
public static function validateCsrfToken($token): bool{
|
||||
return hash_equals($_SESSION['csrf_token'], $token);
|
||||
}
|
||||
|
||||
public static function getCsrfToken(): string{
|
||||
return $_SESSION['csrf_token'];
|
||||
}
|
||||
|
||||
public static function isValidCsrfToken($token): bool{
|
||||
return hash_equals($_SESSION['csrf_token'], $token);
|
||||
}
|
||||
|
||||
public static function isLoggedIn(): bool {
|
||||
//echo "UserModel ID set: ". isset($_SESSION['user_id']). "<br/>";
|
||||
//exit;
|
||||
return isset($_SESSION['user_id']);
|
||||
}
|
||||
|
||||
// A session is valid if the user is logged in and has a valid csrf token
|
||||
// Test this before processing POST requests
|
||||
public static function isValid(string $token): bool {
|
||||
return self::isLoggedIn() && self::isValidCsrfToken($token);
|
||||
}
|
||||
|
||||
public static function end(): void {
|
||||
$_SESSION = [];
|
||||
session_destroy();
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user