Merge pull request #5 from SoapBox/feature/prevent-replay-attacks

Jaspaul · web-flow · commit 266ca832ca7e · 2017-04-27T11:38:44.000-04:00
[Feature] Automatic Replay Request Prevention
diff --git a/composer.json b/composer.json
@@ -15,6 +15,7 @@
         "guzzlehttp/guzzle": "^6.2",
         "illuminate/http": "^5.4",
         "illuminate/support": "^5.4",
+        "nesbot/carbon": "^1.22",
         "ramsey/uuid": "^3.6"
     },
     "require-dev": {
diff --git a/resources/config/signed-requests.php b/resources/config/signed-requests.php
@@ -6,10 +6,19 @@
     | The algorithm to sign the request with
     |--------------------------------------------------------------------------
     |
-    | This is the algorithm we'll use to sign the
+    | This is the algorithm we'll use to sign the request.
     */
     'algorithm' => env('SIGNED_REQUEST_ALGORITHM', 'sha256'),
 
+    /*
+    |--------------------------------------------------------------------------
+    | The prefix to use for all of our cache values
+    |--------------------------------------------------------------------------
+    |
+    | This is the prefix we'll use for all of our keys.
+    */
+    'cache-prefix' => env('SIGNED_REQUEST_CACHE_PREFIX', 'signed-requests'),
+
     /*
     |--------------------------------------------------------------------------
     | Available header overrides
@@ -32,5 +41,19 @@
     | key is expected from the environment. You can change this behaviour,
     | however it is not recommended.
     */
-    'key' => env('SIGNED_REQUEST_KEY', 'key')
+    'key' => env('SIGNED_REQUEST_KEY', 'key'),
+
+    /*
+    |--------------------------------------------------------------------------
+    | Allows the management and tolerance of request replay's
+    |--------------------------------------------------------------------------
+    |
+    | This allows you to configure if the middleware should prevent the same
+    | request being replayed to your application, and adjust the tolerance
+    | for request expiry.
+    */
+    'request-replay' => [
+        'allow' => env('SIGNED_REQUEST_ALLOW_REPLAYS', false),
+        'tolerance' => env('SIGNED_REQUEST_TOLERANCE_SECONDS', 30)
+    ],
 ];
diff --git a/src/Exceptions/ExpiredRequestException.php b/src/Exceptions/ExpiredRequestException.php
@@ -0,0 +1,51 @@
+<?php
+
+namespace SoapBox\SignedRequests\Exceptions;
+
+use Exception;
+use Throwable;
+use Symfony\Component\HttpFoundation\Response;
+use Symfony\Component\HttpKernel\Exception\HttpExceptionInterface;
+
+class ExpiredRequestException extends Exception implements HttpExceptionInterface
+{
+    /**
+     * The default exception message.
+     *
+     * @var string
+     */
+    const MESSAGE = 'The provided request has expired';
+
+    /**
+     * Provides a default error message for an expired request.
+     *
+     * @param string $message
+     *        A customizable error message.
+     */
+    public function __construct(string $message = self::MESSAGE)
+    {
+        parent::__construct($message);
+    }
+
+    /**
+     * Returns an HTTP BAD REQUEST status code.
+     *
+     * @return int
+     *         An HTTP BAD REQUEST response status code
+     */
+    public function getStatusCode()
+    {
+        return Response::HTTP_BAD_REQUEST;
+    }
+
+    /**
+     * Returns response headers.
+     *
+     * @return array
+     *         Response headers
+     */
+    public function getHeaders()
+    {
+        return [];
+    }
+}
diff --git a/src/Middlewares/VerifySignature.php b/src/Middlewares/VerifySignature.php
@@ -4,8 +4,10 @@
 
 use Closure;
 use Illuminate\Http\Request;
-use Illuminate\Contracts\Config\Repository;
 use SoapBox\SignedRequests\Requests\Verifier;
+use Illuminate\Contracts\Cache\Repository as Cache;
+use Illuminate\Contracts\Config\Repository as Configurations;
+use SoapBox\SignedRequests\Exceptions\ExpiredRequestException;
 use SoapBox\SignedRequests\Exceptions\InvalidSignatureException;
 
 class VerifySignature
@@ -17,17 +19,28 @@ class VerifySignature
      */
     protected $configurations;
 
+    /**
+     * An instance of the cache repository.
+     *
+     * @var \Illuminate\Contracts\Cache\Repository
+     */
+    protected $cache;
+
     /**
      * Expect an instance of the configurations repository so we can lookup
      * where to find our signature, algorithm, and key from.
      *
      * @param \Illuminate\Contracts\Config\Repository $configurations
      *        An instance of the Illuminate configurations repository to lookup
      *        configurations with.
+     * @param \Illuminate\Contracts\Cache\Repository $cache
+     *        An instance of the Illuminate cache repository for preventing
+     *        replay attacks.
      */
-    public function __construct(Repository $configurations)
+    public function __construct(Configurations $configurations, Cache $cache)
     {
         $this->configurations = $configurations;
+        $this->cache = $cache;
     }
 
     /**
@@ -36,6 +49,10 @@ public function __construct(Repository $configurations)
      *
      * @throws \SoapBox\SignedRequests\Exceptions\InvalidSignatureException
      *         Thrown when the signature of the request is not valid.
+     * @throws \SoapBox\SignedRequests\Exceptions\ExpiredRequestException
+     *         Thrown if request replays are disabled and either the request
+     *         timestamp is outside the window of tolerance, or the request has
+     *         previously been served.
      *
      * @param  \Illuminate\Http\Request $request
      *         An instance of the request.
@@ -48,6 +65,22 @@ public function handle(Request $request, Closure $next)
     {
         $signed = new Verifier($request);
 
+        $key = sprintf(
+            '%s.%s',
+            $this->configurations->get('signed-requests.cache-prefix'),
+            $signed->getId()
+        );
+
+        $tolerance = $this->configurations->get('signed-requests.request-replay.tolerance');
+
+        if (false == $this->configurations->get('signed-requests.request-replay.allow')) {
+            $isExpired = $signed->isExpired($tolerance);
+
+            if ($isExpired || $this->cache->has($key)) {
+                throw new ExpiredRequestException();
+            }
+        }
+
         $signed
             ->setSignatureHeader($this->configurations->get('signed-requests.headers.signature'))
             ->setAlgorithmHeader($this->configurations->get('signed-requests.headers.algorithm'));
@@ -56,6 +89,8 @@ public function handle(Request $request, Closure $next)
             throw new InvalidSignatureException();
         }
 
+        $this->cache->put($key, $key, $tolerance / 60);
+
         return $next($request);
     }
 }
diff --git a/src/Requests/Generator.php b/src/Requests/Generator.php
@@ -2,6 +2,7 @@
 
 namespace SoapBox\SignedRequests\Requests;
 
+use Carbon\Carbon;
 use Ramsey\Uuid\Uuid;
 use GuzzleHttp\Psr7\Request;
 use SoapBox\SignedRequests\Signature;
@@ -47,6 +48,7 @@ public function sign(Request $request) : Request
         $key = $this->repository->get('signed-requests.key');
 
         $request = $request->withHeader('X-SIGNED-ID', (string) Uuid::uuid4());
+        $request = $request->withHeader('X-SIGNED-TIMESTAMP', (string) Carbon::now());
 
         $signature = new Signature(new Payload($request), $algorithm, $key);
 
diff --git a/src/Requests/Payload.php b/src/Requests/Payload.php
@@ -41,10 +41,13 @@ protected function generateFromGuzzleRequest(GuzzleRequest $request) : string
     {
         $id = isset($this->request->getHeader('X-SIGNED-ID')[0]) ?
             $this->request->getHeader('X-SIGNED-ID')[0] : '';
+        $timestamp = isset($this->request->getHeader('X-SIGNED-TIMESTAMP')[0]) ?
+            $this->request->getHeader('X-SIGNED-TIMESTAMP')[0] : '';
 
         return json_encode([
             'id' => (string) $id,
             'method' => $this->request->getMethod(),
+            'timestamp' => $timestamp,
             'uri' => (string) $this->request->getUri(),
             'content' => $this->request->getBody()
         ], JSON_UNESCAPED_SLASHES);
@@ -62,10 +65,12 @@ protected function generateFromGuzzleRequest(GuzzleRequest $request) : string
     protected function generateFromIlluminateRequest(IlluminateRequest $request) : string
     {
         $id = $this->request->headers->get('X-SIGNED-ID', '');
+        $timestamp = $this->request->headers->get('X-SIGNED-TIMESTAMP', '');
 
         return json_encode([
             'id' => (string) $id,
             'method' => $this->request->getMethod(),
+            'timestamp' => $timestamp,
             'uri' => (string) $this->request->fullUrl(),
             'content' => $this->request->getContent()
         ], JSON_UNESCAPED_SLASHES);
diff --git a/src/Requests/Verifier.php b/src/Requests/Verifier.php
@@ -2,6 +2,7 @@
 
 namespace SoapBox\SignedRequests\Requests;
 
+use Carbon\Carbon;
 use Illuminate\Http\Request;
 use SoapBox\SignedRequests\Signature;
 use SoapBox\SignedRequests\Requests\Payload;
@@ -172,4 +173,33 @@ public function isValid(string $key) : bool
 
         return $signature->equals($this->getSignature());
     }
+
+    /**
+     * Checks if this request was issued within tolerance seconds of now.
+     *
+     * @param int $tolerance
+     *        The number of seconds we'll tolerate for a request delay.
+     *
+     * @return bool
+     *         true if the request was issued within tolerance seconds, false
+     *         otherwise.
+     */
+    public function isExpired(int $tolerance) : bool
+    {
+        $issuedAt =
+            Carbon::parse($this->headers->get('X-SIGNED-TIMESTAMP', '1901-01-01 12:00:00'));
+
+        return Carbon::now()->diffInSeconds($issuedAt) > 60;
+    }
+
+    /**
+     * Returns the X-SIGNED-ID header value.
+     *
+     * @return string
+     *         The configured header.
+     */
+    public function getId() : string
+    {
+        return $this->headers->get('X-SIGNED-ID', '');
+    }
 }
diff --git a/tests/Exceptions/ExpiredRequestExceptionTest.php b/tests/Exceptions/ExpiredRequestExceptionTest.php
@@ -0,0 +1,48 @@
+<?php
+
+namespace Tests\Exceptions;
+
+use Tests\TestCase;
+use Symfony\Component\HttpFoundation\Response;
+use SoapBox\SignedRequests\Exceptions\ExpiredRequestException;
+
+class ExpiredRequestExceptionTest extends TestCase
+{
+    /**
+     * @test
+     */
+    public function an_invalid_signature_exception_is_constructed_with_a_default_message()
+    {
+        $exception = new ExpiredRequestException();
+        $this->assertEquals(ExpiredRequestException::MESSAGE, $exception->getMessage());
+    }
+
+    /**
+     * @test
+     */
+    public function the_message_for_the_exception_can_be_overwritten_during_construction()
+    {
+        $message = "So broken";
+        $exception = new ExpiredRequestException($message);
+        $this->assertNotEquals(ExpiredRequestException::MESSAGE, $exception->getMessage());
+        $this->assertEquals($message, $exception->getMessage());
+    }
+
+    /**
+     * @test
+     */
+    public function it_returns_a_bad_request_status_code()
+    {
+        $exception = new ExpiredRequestException();
+        $this->assertEquals(Response::HTTP_BAD_REQUEST, $exception->getStatusCode());
+    }
+
+    /**
+     * @test
+     */
+    public function it_returns_an_empty_set_of_response_headers()
+    {
+        $exception = new ExpiredRequestException();
+        $this->assertEmpty($exception->getHeaders());
+    }
+}
diff --git a/tests/Middlewares/VerifySignatureTest.php b/tests/Middlewares/VerifySignatureTest.php
diff --git a/tests/Requests/PayloadTest.php b/tests/Requests/PayloadTest.php
diff --git a/tests/Requests/VerifierTest.php b/tests/Requests/VerifierTest.php
