diff --git a/public/index.php b/public/index.php index a8e2845..8d25892 100644 --- a/public/index.php +++ b/public/index.php @@ -36,6 +36,8 @@ $db = get_db(); $config = ConfigModel::load(); $user = UserModel::load(); +// Start a session and generate a CSRF Token +// if there isn't already an active session Session::start(); Session::generateCsrfToken(); @@ -47,6 +49,24 @@ if (strpos($path, $config->basePath) === 0) { // strip the trailing slash from the resulting route $path = trim($path, '/'); +// if this is a POST, make sure there's a valid session +// if not, redirect to /login or die as appropriate +if ($_SERVER['REQUEST_METHOD'] === 'POST') { + if ($path != 'login'){ + if (!Session::isValid($_POST['csrf_token'])) { + // Invalid session - redirect to /login + header('Location: ' . $config->basePath . '/login'); + exit; + } + } else { + if (!Session::isvalidCsrfToken($_POST['csrf_token'])) { + // Just die if the token is invalid on login + die('Invalid CSRF token'); + exit; + } + } +} + // Set content type header('Content-Type: text/html; charset=utf-8'); diff --git a/src/Controller/AuthController/AuthController.php b/src/Controller/AuthController/AuthController.php index 7885317..15bc901 100644 --- a/src/Controller/AuthController/AuthController.php +++ b/src/Controller/AuthController/AuthController.php @@ -19,10 +19,6 @@ class AuthController extends Controller { $error = ''; if ($_SERVER['REQUEST_METHOD'] === 'POST') { - if (!Session::validateCsrfToken($_POST['csrf_token'])) { - die('Invalid CSRF token'); - } - $username = $_POST['username'] ?? ''; $password = $_POST['password'] ?? ''; diff --git a/src/Controller/HomeController/HomeController.php b/src/Controller/HomeController/HomeController.php index 1253260..ec98092 100644 --- a/src/Controller/HomeController/HomeController.php +++ b/src/Controller/HomeController/HomeController.php @@ -27,12 +27,6 @@ class HomeController extends Controller { // Saves the tick and reloads the homepage public function handleTick(){ if ($_SERVER['REQUEST_METHOD'] === 'POST' and isset($_POST['tick'])) { - // ensure that the session is valid before proceeding - if (!Session::validateCsrfToken($_POST['csrf_token'])) { - // TODO: maybe redirect to login? Maybe with tick preserved? - die('Invalid CSRF token'); - } - // save the tick if (trim($_POST['tick'])){ TickModel::save($_POST['tick']); diff --git a/src/Controller/MoodController/MoodController.php b/src/Controller/MoodController/MoodController.php index 08f9fd4..3a23912 100644 --- a/src/Controller/MoodController/MoodController.php +++ b/src/Controller/MoodController/MoodController.php @@ -17,11 +17,6 @@ public function handlePost(){ if ($_SERVER['REQUEST_METHOD'] === 'POST') { - // ensure that the session is valid before proceeding - if (!Session::validateCsrfToken($_POST['csrf_token'])) { - die('Invalid CSRF token'); - } - // Get the data we need global $config; global $user; diff --git a/src/Framework/Session/Session.php b/src/Framework/Session/Session.php index 3a975b3..88ccf58 100644 --- a/src/Framework/Session/Session.php +++ b/src/Framework/Session/Session.php @@ -16,20 +16,24 @@ class Session { } } - public static function validateCsrfToken($token): bool{ - return hash_equals($_SESSION['csrf_token'], $token); - } - public static function getCsrfToken(): string{ return $_SESSION['csrf_token']; } + public static function isValidCsrfToken($token): bool{ + return hash_equals($_SESSION['csrf_token'], $token); + } + public static function isLoggedIn(): bool { - //echo "UserModel ID set: ". isset($_SESSION['user_id']). "
"; - //exit; return isset($_SESSION['user_id']); } + // A session is valid if the user is logged in and has a valid csrf token + // Test this before processing POST requests + public static function isValid(string $token): bool { + return self::isLoggedIn() && self::isValidCsrfToken($token); + } + public static function end(): void { $_SESSION = []; session_destroy();