dispense AntiForgery from HttpContext

Machometec · Machometec · commit 72bff505ccb8 · 2024-03-11T00:45:42.000-04:00
diff --git a/lib/Endpoint/Filters/ValidateAntiForgery.php b/lib/Endpoint/Filters/ValidateAntiForgery.php
@@ -26,9 +26,17 @@ public function __invoke(ActionContext $context, ActionDelegate $next): Task
             throw new AntiForgeryException("Unable to get IAntiForgery service, make sure to register it as a service!");
         }
 
-        $result = $antiForgery->validateToken($context->HttpContext);
+        $method = $context->HttpContext->Request->Method;
+        if ($method == 'GET') {
+            return next($context);
+        }
+
+        $formToken = $context->HttpContext->Request->Form->getValue($antiForgery->options->FieldName);
+        $headerToken = $context->HttpContext->Request->Headers->getValues($antiForgery->options->FieldName)[0] ?? null;
+        $formResult = $antiForgery->validateToken($formToken);
+        $headerResult = $antiForgery->validateToken($headerToken);
 
-        if (!$result) {
+        if (!$formResult && !$headerResult) {
             throw new AntiForgeryException("Invalid AntiForgery Token!", 403);
         }
 
diff --git a/lib/Security/Session.php b/lib/Security/Session.php
@@ -14,17 +14,17 @@ class Session
     private string $name;
     private array $options = [];
 
-    public function __construct(string $name, ?int $lifetime = null, ?string $path = null)
+    public function __construct(string $name, string $path = '/', ?int $lifetime = null)
     {
         $this->name = $name;
         $this->options['name'] = $name;
 
-        if (isset($lifetime)) {
-            $this->options['cookie_lifetime'] = $lifetime;
+        if (!empty($path)) {
+            $this->options['cookie_path'] = $path;
         }
 
-        if (isset($path)) {
-            $this->options['cookie_path'] = $path;
+        if (isset($lifetime)) {
+            $this->options['cookie_lifetime'] = $lifetime;
         }
 
         if (isset($_COOKIE[$name])) {
diff --git a/lib/Security/Tokens/Csrf/Antiforgery.php b/lib/Security/Tokens/Csrf/Antiforgery.php
@@ -9,7 +9,6 @@
 namespace DevNet\Web\Security\Tokens\Csrf;
 
 use DevNet\System\PropertyTrait;
-use DevNet\Web\Http\Message\HttpContext;
 
 class AntiForgery implements IAntiForgery
 {
@@ -21,10 +20,6 @@ class AntiForgery implements IAntiForgery
 
     public function __construct(AntiForgeryOptions $options)
     {
-        if ($options->Cookie->HttpOnly === null) {
-            $options->Cookie->HttpOnly = true;
-        }
-
         $this->options   = $options;
         $this->generator = new AntiForgeryTokenGenerator();
         $this->store     = new AntiForgeryTokenStore($options);
@@ -47,22 +42,9 @@ public function getToken(): AntiForgeryToken
         return $token;
     }
 
-    public function validateToken(HttpContext $httpContext): bool
+    public function validateToken(string $token): bool
     {
-        $method = $httpContext->Request->Method;
-        if ($method == "GET") {
-            return true;
-        }
-
-        $token = $this->getToken();
-
-        $formToken = $httpContext->Request->Form->getValue($this->options->FieldName);
-        if ($formToken == $token) {
-            return true;
-        }
-
-        $headerToken = $httpContext->Request->Headers->getValues($this->options->FieldName)[0] ?? null;
-        if ($headerToken == $token) {
+        if ($this->getToken() == $token) {
             return true;
         }
 
diff --git a/lib/Security/Tokens/Csrf/AntiforgeryOptions.php b/lib/Security/Tokens/Csrf/AntiforgeryOptions.php
@@ -8,19 +8,15 @@
 
 namespace DevNet\Web\Security\Tokens\Csrf;
 
-use DevNet\System\Runtime\LauncherProperties;
-use DevNet\Web\Http\Message\CookieOptions;
-
 class AntiForgeryOptions
 {
-    public CookieOptions $Cookie;
     public string $CookieName = "AntiForgery";
+    public string $CookiePath = "/";
     public string $FieldName  = "X-CSRF-TOKEN";
     public string $HeaderName = "X-XSRF-TOKEN";
 
     public function __construct()
     {
-        $this->Cookie     = new CookieOptions();
-        $this->CookieName = $this->CookieName . "-" . md5($this->CookieName . LauncherProperties::getRootDirectory());;
+        $this->CookieName = $this->CookieName . "-" . md5($this->CookieName . $_SERVER['DOCUMENT_ROOT']);;
     }
 }
diff --git a/lib/Security/Tokens/Csrf/AntiforgeryTokenGenerator.php b/lib/Security/Tokens/Csrf/AntiforgeryTokenGenerator.php
@@ -8,8 +8,6 @@
 
 namespace DevNet\Web\Security\Tokens\Csrf;
 
-use DevNet\Web\Http\Message\HttpContext;
-
 class AntiForgeryTokenGenerator
 {
     public function generateCookieToken(): AntiForgeryToken
@@ -21,15 +19,4 @@ public function generateRequestToken(string $cookieToken): AntiForgeryToken
     {
         return new AntiForgeryToken($cookieToken);
     }
-
-    public function matchTokens(HttpContext $httpContext, $tokens): bool
-    {
-        $formToken = $httpContext->Request->Form->getValue($tokens->FormFieldName);
-
-        if ($tokens->RequestToken == $formToken) {
-            return true;
-        }
-
-        return false;
-    }
 }
diff --git a/lib/Security/Tokens/Csrf/AntiforgeryTokenSet.php b/lib/Security/Tokens/Csrf/AntiforgeryTokenSet.php
diff --git a/lib/Security/Tokens/Csrf/AntiforgeryTokenStore.php b/lib/Security/Tokens/Csrf/AntiforgeryTokenStore.php
@@ -16,7 +16,7 @@ class AntiForgeryTokenStore
 
     public function __construct(AntiForgeryOptions $options)
     {
-        $this->session = new Session($options->CookieName);
+        $this->session = new Session($options->CookieName, $options->CookieName);
     }
 
     public function saveCookieToken(AntiForgeryToken $token): void
diff --git a/lib/Security/Tokens/Csrf/IAntiforgery.php b/lib/Security/Tokens/Csrf/IAntiforgery.php
@@ -8,11 +8,9 @@
 
 namespace DevNet\Web\Security\Tokens\Csrf;
 
-use DevNet\Web\Http\Message\HttpContext;
-
 interface IAntiForgery
 {
     public function getToken(): AntiForgeryToken;
 
-    public function validateToken(HttpContext $httpContext): bool;
+    public function validateToken(string $token): bool;
 }

Original file line number	Diff line number	Diff line change
`@@ -14,17 +14,17 @@ class Session`
`14`	`14`	`private string $name;`
`15`	`15`	`private array $options = [];`
`16`	`16`
`17`		`- public function __construct(string $name, ?int $lifetime = null, ?string $path = null)`
	`17`	`+ public function __construct(string $name, string $path = '/', ?int $lifetime = null)`
`18`	`18`	`{`
`19`	`19`	`$this->name = $name;`
`20`	`20`	`$this->options['name'] = $name;`
`21`	`21`
`22`		`- if (isset($lifetime)) {`
`23`		`- $this->options['cookie_lifetime'] = $lifetime;`
	`22`	`+ if (!empty($path)) {`
	`23`	`+ $this->options['cookie_path'] = $path;`
`24`	`24`	`}`
`25`	`25`
`26`		`- if (isset($path)) {`
`27`		`- $this->options['cookie_path'] = $path;`
	`26`	`+ if (isset($lifetime)) {`
	`27`	`+ $this->options['cookie_lifetime'] = $lifetime;`
`28`	`28`	`}`
`29`	`29`
`30`	`30`	`if (isset($_COOKIE[$name])) {`
Original file line number	Diff line number	Diff line change
`@@ -8,19 +8,15 @@`
`8`	`8`
`9`	`9`	`namespace DevNet\Web\Security\Tokens\Csrf;`
`10`	`10`
`11`		`-use DevNet\System\Runtime\LauncherProperties;`
`12`		`-use DevNet\Web\Http\Message\CookieOptions;`
`13`		`-`
`14`	`11`	`class AntiForgeryOptions`
`15`	`12`	`{`
`16`		`- public CookieOptions $Cookie;`
`17`	`13`	`public string $CookieName = "AntiForgery";`
	`14`	`+ public string $CookiePath = "/";`
`18`	`15`	`public string $FieldName = "X-CSRF-TOKEN";`
`19`	`16`	`public string $HeaderName = "X-XSRF-TOKEN";`
`20`	`17`
`21`	`18`	`public function __construct()`
`22`	`19`	`{`
`23`		`- $this->Cookie = new CookieOptions();`
`24`		`- $this->CookieName = $this->CookieName . "-" . md5($this->CookieName . LauncherProperties::getRootDirectory());;`
	`20`	`+ $this->CookieName = $this->CookieName . "-" . md5($this->CookieName . $_SERVER['DOCUMENT_ROOT']);;`
`25`	`21`	`}`
`26`	`22`	`}`
Original file line number	Diff line number	Diff line change
`@@ -8,8 +8,6 @@`
`8`	`8`
`9`	`9`	`namespace DevNet\Web\Security\Tokens\Csrf;`
`10`	`10`
`11`		`-use DevNet\Web\Http\Message\HttpContext;`
`12`		`-`
`13`	`11`	`class AntiForgeryTokenGenerator`
`14`	`12`	`{`
`15`	`13`	`public function generateCookieToken(): AntiForgeryToken`
`@@ -21,15 +19,4 @@ public function generateRequestToken(string $cookieToken): AntiForgeryToken`
`21`	`19`	`{`
`22`	`20`	`return new AntiForgeryToken($cookieToken);`
`23`	`21`	`}`
`24`		`-`
`25`		`- public function matchTokens(HttpContext $httpContext, $tokens): bool`
`26`		`- {`
`27`		`- $formToken = $httpContext->Request->Form->getValue($tokens->FormFieldName);`
`28`		`-`
`29`		`- if ($tokens->RequestToken == $formToken) {`
`30`		`- return true;`
`31`		`- }`
`32`		`-`
`33`		`- return false;`
`34`		`- }`
`35`	`22`	`}`
Original file line number	Diff line number	Diff line change
`@@ -16,7 +16,7 @@ class AntiForgeryTokenStore`
`16`	`16`
`17`	`17`	`public function __construct(AntiForgeryOptions $options)`
`18`	`18`	`{`
`19`		`- $this->session = new Session($options->CookieName);`
	`19`	`+ $this->session = new Session($options->CookieName, $options->CookieName);`
`20`	`20`	`}`
`21`	`21`
`22`	`22`	`public function saveCookieToken(AntiForgeryToken $token): void`
Original file line number	Diff line number	Diff line change
`@@ -8,11 +8,9 @@`
`8`	`8`
`9`	`9`	`namespace DevNet\Web\Security\Tokens\Csrf;`
`10`	`10`
`11`		`-use DevNet\Web\Http\Message\HttpContext;`
`12`		`-`
`13`	`11`	`interface IAntiForgery`
`14`	`12`	`{`
`15`	`13`	`public function getToken(): AntiForgeryToken;`
`16`	`14`
`17`		`- public function validateToken(HttpContext $httpContext): bool;`
	`15`	`+ public function validateToken(string $token): bool;`
`18`	`16`	`}`