Merge branch 'develop'

Author: nomadicjosh

.env.example

@@ -2,6 +2,7 @@
 APP_NAME=CodefyPHP
 APP_ENV=development
 APP_KEY=changeme
+APP_SALT=pleasechangeme
 APP_DEBUG=false
 APP_BASE_PATH=
 APP_BASE_URL=http://localhost:8080
@@ -18,6 +19,7 @@ MAILER_FROM_NAME="${APP_NAME}"
 MAILER_SENDMAIL_PATH=
 
 # Database setup.
+DB_CONNECTION=default
 DB_DRIVER=mysql
 DB_HOST=localhost
 DB_NAME=test

.gitignore

@@ -2,6 +2,7 @@ App/Domain/Post
 App/Domain/PostType
 App/Domain/Site
 App/Domain/User
+App/Infrastructure/Http/Middleware/UserAuthMiddleware.php
 database/migrations/.migrations.log
 resources/views/*.tpl
 storage/logs/*.log

App/Infrastructure/Http/Controllers/HomeController.php

@@ -5,11 +5,26 @@
 namespace App\Infrastructure\Http\Controllers;
 
 use Codefy\Framework\Http\BaseController;
+use Psr\Http\Message\ResponseInterface;
+use Psr\Http\Message\ServerRequestInterface;
+use Qubus\Http\Session\SessionService;
+use Qubus\Routing\Router;
 use Qubus\View\Native\Exception\InvalidTemplateNameException;
 use Qubus\View\Native\Exception\ViewException;
+use Qubus\View\Renderer;
 
 final class HomeController extends BaseController
 {
+    public function __construct(
+        SessionService $sessionService,
+        ServerRequestInterface $request,
+        ResponseInterface $response,
+        Router $router,
+        ?Renderer $view = null
+    ) {
+        parent::__construct($sessionService, $request, $response, $router, $view);
+    }
+
     /**
      * @throws ViewException
      * @throws InvalidTemplateNameException

App/Infrastructure/Http/Middleware/CorsMiddleware.php

@@ -0,0 +1,44 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Infrastructure\Http\Middleware;
+
+use Psr\Http\Message\ResponseInterface;
+use Psr\Http\Message\ServerRequestInterface;
+use Psr\Http\Server\MiddlewareInterface;
+use Psr\Http\Server\RequestHandlerInterface;
+use Qubus\Config\ConfigContainer;
+use Qubus\Exception\Exception;
+
+final class CorsMiddleware implements MiddlewareInterface
+{
+    public function __construct(protected ConfigContainer $configContainer)
+    {
+    }
+
+    /**
+     * @inheritDoc
+     * @throws Exception
+     */
+    public function process(ServerRequestInterface $request, RequestHandlerInterface $handler): ResponseInterface
+    {
+        $response = $handler->handle($request);
+
+        $origin = $response->getHeaderLine('origin');
+
+        if($this->configContainer->getConfigKey(key: 'cors.access-control-allow-origin')[0] !== '*') {
+            if (!$origin || !in_array($origin, $this->configContainer->getConfigKey(key: 'cors.access-control-allow-origin'))) {
+                return $response;
+            }
+        }
+
+        $headers = $this->configContainer->getConfigKey(key: 'cors');
+
+        foreach($headers as $key => $value) {
+            $response = $response->withAddedHeader($key, implode(separator: ',', array: $value));
+        }
+
+        return $response;
+    }
+}

App/Infrastructure/Http/Middleware/Csrf/CsrfProtectionMiddleware.php

@@ -0,0 +1,108 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Infrastructure\Http\Middleware\Csrf;
+
+use App\Infrastructure\Http\Middleware\Csrf\Traits\CsrfTokenAware;
+use App\Shared\Http\RequestMethod;
+use Psr\Http\Message\ResponseInterface;
+use Psr\Http\Message\ServerRequestInterface;
+use Psr\Http\Server\MiddlewareInterface;
+use Psr\Http\Server\RequestHandlerInterface;
+use Qubus\Config\ConfigContainer;
+use Qubus\Exception\Exception;
+use Qubus\Http\Factories\JsonResponseFactory;
+use Qubus\Http\Session\SessionService;
+
+final class CsrfProtectionMiddleware implements MiddlewareInterface
+{
+    use CsrfTokenAware;
+
+    public function __construct(protected ConfigContainer $configContainer, protected SessionService $sessionService)
+    {
+    }
+
+    /**
+     * @inheritDoc
+     * @throws Exception
+     * @throws \Exception
+     */
+    public function process(ServerRequestInterface $request, RequestHandlerInterface $handler): ResponseInterface
+    {
+        $response = $handler->handle($request);
+
+        if(true === $this->needsProtection($request) && ! $this->tokensMatch($request)) {
+            return JsonResponseFactory::create(
+                data: 'Bad CSRF Token.',
+                status: $this->configContainer->getConfigKey('csrf.error_status_code')
+            );
+        }
+
+        return $response;
+    }
+
+    /**
+     * Check for methods not defined as safe.
+     *
+     * @param ServerRequestInterface $request
+     * @return bool
+     */
+    private function needsProtection(ServerRequestInterface $request): bool
+    {
+        return RequestMethod::isSafe($request->getMethod()) === false;
+    }
+
+    /**
+     * @throws Exception
+     */
+    private function tokensMatch(ServerRequestInterface $request): bool
+    {
+        $expected = $this->fetchToken($request);
+        $provided = $this->getTokenFromRequest($request);
+
+        return hash_equals($expected, $provided);
+    }
+
+
+    /**
+     * @throws Exception
+     * @throws \Exception
+     */
+    private function fetchToken(ServerRequestInterface $request): string
+    {
+        $token = $request->getAttribute(CsrfTokenMiddleware::SESSION_ATTRIBUTE);
+
+        // Ensure the token stored previously by the CsrfTokenMiddleware is present and has a valid format.
+        if (is_string($token) &&
+            ctype_alnum($token) &&
+            strlen($token) === $this->configContainer->getConfigKey(key: 'csrf.csrf_token_length')
+        ) {
+            return $token;
+        }
+
+        return '';
+    }
+
+    /**
+     * @throws Exception
+     */
+    private function getTokenFromRequest(ServerRequestInterface $request): string
+    {
+        if ($request->hasHeader($this->configContainer->getConfigKey(key: 'csrf.header'))) {
+            return (string) $request->getHeaderLine($this->configContainer->getConfigKey(key: 'csrf.header'));
+        }
+
+        // Handle the case for a POST form.
+        $body = $request->getParsedBody();
+
+        if (is_array(
+            $body) &&
+            isset($body[$this->configContainer->getConfigKey(key: 'csrf.csrf_token')]) &&
+            is_string($body[$this->configContainer->getConfigKey(key: 'csrf.csrf_token')])) {
+            return $body[$this->configContainer->getConfigKey(key: 'csrf.csrf_token')];
+        }
+
+        return '';
+    }
+}

App/Infrastructure/Http/Middleware/Csrf/CsrfSession.php

@@ -0,0 +1,43 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Infrastructure\Http\Middleware\Csrf;
+
+use Qubus\Http\Session\SessionEntity;
+
+use function Qubus\Support\Helpers\is_null__;
+
+final class CsrfSession implements SessionEntity
+{
+    public ?string $csrfToken = null;
+
+    public function withCsrfToken(?string $csrfToken = null): self
+    {
+        $this->csrfToken = $csrfToken;
+
+        return $this;
+    }
+
+    public function equals(string $token): bool
+    {
+        return !is_null__($this->csrfToken) && $this->csrfToken === $token;
+    }
+
+    public function csrfToken(): string|null
+    {
+        return $this->csrfToken;
+    }
+
+    public function clear(): void
+    {
+        if(!empty($this->csrfToken)) {
+            unset($this->csrfToken);
+        }
+    }
+
+    public function isEmpty(): bool
+    {
+        return empty($this->csrfToken);
+    }
+}

App/Infrastructure/Http/Middleware/Csrf/CsrfTokenMiddleware.php

@@ -0,0 +1,85 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Infrastructure\Http\Middleware\Csrf;
+
+use App\Infrastructure\Http\Middleware\Csrf\Traits\CsrfTokenAware;
+use Psr\Http\Message\ResponseInterface;
+use Psr\Http\Message\ServerRequestInterface;
+use Psr\Http\Server\MiddlewareInterface;
+use Psr\Http\Server\RequestHandlerInterface;
+use Qubus\Config\ConfigContainer;
+use Qubus\Exception\Exception;
+use Qubus\Http\Session\SessionService;
+
+final class CsrfTokenMiddleware implements MiddlewareInterface
+{
+    use CsrfTokenAware;
+
+    public const SESSION_ATTRIBUTE = 'CSRF_TOKEN';
+
+    public static CsrfTokenMiddleware $current;
+
+    private string $token;
+
+    public function __construct(protected ConfigContainer $configContainer, protected SessionService $sessionService)
+    {
+        self::$current = $this;
+    }
+
+    /**
+     * @throws Exception
+     */
+    public static function getField(): string
+    {
+        return sprintf(
+            '<input type="hidden" name="%s" value="%s">' . "\n",
+            self::$current->getFieldAttr(),
+            self::$current->token
+        );
+    }
+
+    /**
+     * @throws Exception
+     */
+    public function getFieldAttr(): string
+    {
+        return $this->configContainer->getConfigKey(key: 'csrf.csrf_token', default: '_token');
+    }
+
+    /**
+     * @inheritDoc
+     * @throws Exception
+     * @throws \Exception
+     */
+    public function process(ServerRequestInterface $request, RequestHandlerInterface $handler): ResponseInterface
+    {
+        SessionService::$options = [
+            'cookie-name' => 'CSRFSESSID',
+            'cookie-lifetime' => (int) $this->configContainer->getConfigKey(key: 'csrf.lifetime', default: 86400),
+        ];
+
+        $session = $this->sessionService->makeSession($request);
+
+        $this->token = $token = $this->prepareToken(session: $session);
+
+        /**
+         * If true, the application will do a header check, if not,
+         * it will expect data submitted via an HTML form tag.
+         */
+        if($this->configContainer->getConfigKey(key: 'csrf.request_header') === true) {
+            $request = $request->withHeader($this->configContainer->getConfigKey(key: 'csrf.header'), $token);
+        }
+
+        $response = $handler->handle(
+            $request
+                ->withAttribute(self::SESSION_ATTRIBUTE, $token)
+        );
+
+        $csrf = $session->get(CsrfSession::class);
+        $csrf->withCsrfToken($token);
+
+        return $this->sessionService->commitSession($response, $session);
+    }
+}

App/Infrastructure/Http/Middleware/Csrf/Traits/CsrfTokenAware.php

@@ -0,0 +1,51 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Infrastructure\Http\Middleware\Csrf\Traits;
+
+use Qubus\Exception\Exception;
+use Qubus\Http\Session\HttpSession;
+
+trait CsrfTokenAware
+{
+    /**
+     * @throws Exception
+     */
+    protected function generateToken(): string
+    {
+        $salt = $this->configContainer->getConfigKey(key: 'csrf.salt');
+
+        return sha1(string: uniqid(prefix: sha1(string: $salt), more_entropy: true));
+    }
+
+    /**
+     * @throws Exception
+     */
+    protected function prepareToken(HttpSession $session): string
+    {
+        // Try to retrieve an existing token from the session.
+        $token = $session->clientSessionId();
+
+        // If token isn't present in the session, we generate a new token.
+        if ($token === '') {
+            $token = $this->generateToken();
+        }
+        return hash_hmac(algo: 'sha256', data: $token, key: $this->configContainer->getConfigKey(key: 'csrf.salt'));
+    }
+
+    /**
+     * @throws Exception
+     */
+    protected function hashEquals(string $knownString, string $userString): bool
+    {
+        return hash_equals(
+            $knownString,
+            hash_hmac(
+                algo: 'sha256',
+                data: $userString,
+                key: $this->configContainer->getConfigKey(key: 'csrf.salt')
+            )
+        );
+    }
+}