mevdschee
diff --git a/‎README.md
Lines changed: 11 additions & 0 deletions b/‎README.md
Lines changed: 11 additions & 0 deletions
diff --git a/‎api.php
Lines changed: 64 additions & 61 deletions b/‎api.php
Lines changed: 64 additions & 61 deletions
diff --git a/‎src/Tqdev/PhpCrudApi/Api.php
Lines changed: 3 additions & 3 deletions b/‎src/Tqdev/PhpCrudApi/Api.php
Lines changed: 3 additions & 3 deletions
diff --git a/‎src/Tqdev/PhpCrudApi/Middleware/AjaxOnlyMiddleware.php
Lines changed: 25 additions & 0 deletions b/‎src/Tqdev/PhpCrudApi/Middleware/AjaxOnlyMiddleware.php
Lines changed: 25 additions & 0 deletions
diff --git a/‎src/Tqdev/PhpCrudApi/Middleware/Auth0Middleware.php
Lines changed: 0 additions & 58 deletions b/‎src/Tqdev/PhpCrudApi/Middleware/Auth0Middleware.php
Lines changed: 0 additions & 58 deletions
diff --git a/‎src/Tqdev/PhpCrudApi/Middleware/Base/Middleware.php
Lines changed: 5 additions & 0 deletions b/‎src/Tqdev/PhpCrudApi/Middleware/Base/Middleware.php
Lines changed: 5 additions & 0 deletions
diff --git a/‎src/Tqdev/PhpCrudApi/Middleware/JwtAuthMiddleware.php
Lines changed: 0 additions & 5 deletions b/‎src/Tqdev/PhpCrudApi/Middleware/JwtAuthMiddleware.php
Lines changed: 0 additions & 5 deletions
@@ -143,6 +143,8 @@ You can enable the following middleware using the "middlewares" config parameter
 
 - "firewall": Limit access to specific IP addresses
 - "cors": Support for CORS requests (enabled by default)
+- "xsrf": Block XSRF attacks using the 'Double Submit Cookie' method
+- "ajaxOnly": Allow only AJAX requests to prevent XSRF attacks
 - "jwtAuth": Support for "Basic Authentication"
 - "basicAuth": Support for "Basic Authentication"
 - "authorization": Restrict access to certain tables or columns
@@ -160,7 +162,14 @@ You can tune the middleware behavior using middleware specific configuration par
 - "cors.allowHeaders": The headers allowed in the CORS request ("Content-Type, X-XSRF-TOKEN")
 - "cors.allowMethods": The methods allowed in the CORS request ("OPTIONS, GET, PUT, POST, DELETE, PATCH")
 - "cors.allowCredentials": To allow credentials in the CORS request ("true")
+- "cors.exposeHeaders": Whitelist headers that browsers are allowed to access ("")
 - "cors.maxAge": The time that the CORS grant is valid in seconds ("1728000")
+- "xsrf.excludeMethods": The methods that do not require XSRF protection ("OPTIONS,GET")
+- "xsrf.cookieName": The name of the XSRF protection cookie ("XSRF-TOKEN")
+- "xsrf.headerName": The name of the XSRF protection header ("X-XSRF-TOKEN")
+- "ajaxOnly.excludeMethods": The methods that do not require AJAX ("OPTIONS,GET")
+- "ajaxOnly.headerName": The name of the required header ("X-Requested-With")
+- "ajaxOnly.headerValue": The value of the required header ("XMLHttpRequest")
 - "jwtAuth.mode": Set to "optional" if you want to allow anonymous access ("required")
 - "jwtAuth.header": Name of the header containing the JWT token ("X-Authorization")
 - "jwtAuth.leeway": The acceptable number of seconds of clock skew ("5")
@@ -808,6 +817,8 @@ The following errors may be reported:
 - 1014: Operation forbidden (403 FORBIDDEN)
 - 1015: Operation not supported (405 METHOD NOT ALLOWED)
 - 1016: Temporary or permanently blocked (403 FORBIDDEN)
+- 1017: Bad or missing XSRF token (403 FORBIDDEN)
+- 1018: Only AJAX requests allowed (403 FORBIDDEN)
 - 9999: Unknown error (500: INTERNAL SERVER ERROR)
 
 The following JSON structure is used:
 
@@ -2899,59 +2899,6 @@ public function handle(Request $request): Response
 
 }
 
-// file: src/Tqdev/PhpCrudApi/Middleware/Auth0Middleware.php
-
-class Auth0Middleware extends Middleware
-{
-
-    private function getFullUrl(String $path)
-    {
-        list($scheme, $default) = (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == 'on') ? array('https', 443) : array('http', 80);
-        $port = ($_SERVER['SERVER_PORT'] == $default) ? '' : (':' . $_SERVER['SERVER_PORT']);
-        return $scheme . '://' . $_SERVER['HTTP_HOST'] . $_SERVER['SCRIPT_NAME'] . $path;
-    }
-
-    private function login(Request $request): Response
-    {
-        $domain = $this->getProperty('domain', '');
-        $clientId = $this->getProperty('clientId', '');
-        $redirectUri = $this->getFullUrl('/callback');
-        $url = "https://$domain/authorize?response_type=token&client_id=$clientId&redirect_uri=$redirectUri";
-        return $this->responder->redirect($url);
-    }
-
-    private function callback(Request $request): Response
-    {
-        $response = $this->responder->success('<h1>test</h1>');
-        $response->addHeader('Content-Type', 'text/html');
-        return $response;
-    }
-
-    private function logout(Request $request): Response
-    {
-        session_destroy();
-        $url = $this->getFullUrl('/login');
-        return $this->responder->redirect($url);
-    }
-
-    public function handle(Request $request): Response
-    {
-        if (session_status() == PHP_SESSION_NONE) {
-            session_start();
-        }
-        $path = $request->getPathSegment(1);
-        switch ($path) {
-            case 'login':
-                return $this->login($request);
-            case 'callback':
-                return $this->callback($request);
-            case 'logout':
-                return $this->logout($request);
-        }
-        return $this->next->handle($request);
-    }
-}
-
 // file: src/Tqdev/PhpCrudApi/Middleware/AuthorizationMiddleware.php
 
 class AuthorizationMiddleware extends Middleware
@@ -3116,6 +3063,9 @@ public function handle(Request $request): Response
             if (!$validUser) {
                 return $this->responder->error(ErrorCode::AUTHENTICATION_FAILED, $username);
             }
+            if (!headers_sent()) {
+                session_regenerate_id();
+            }
         }
         if (!isset($_SESSION['username']) || !$_SESSION['username']) {
             $authenticationMode = $this->getProperty('mode', 'required');
@@ -3158,19 +3108,33 @@ public function handle(Request $request): Response
         } elseif ($method == 'OPTIONS') {
             $response = new Response(Response::OK, '');
             $allowHeaders = $this->getProperty('allowHeaders', 'Content-Type, X-XSRF-TOKEN');
-            $response->addHeader('Access-Control-Allow-Headers', $allowHeaders);
+            if ($allowHeaders) {
+                $response->addHeader('Access-Control-Allow-Headers', $allowHeaders);
+            }
             $allowMethods = $this->getProperty('allowMethods', 'OPTIONS, GET, PUT, POST, DELETE, PATCH');
-            $response->addHeader('Access-Control-Allow-Methods', $allowMethods);
+            if ($allowMethods) {
+                $response->addHeader('Access-Control-Allow-Methods', $allowMethods);
+            }
             $allowCredentials = $this->getProperty('allowCredentials', 'true');
-            $response->addHeader('Access-Control-Allow-Credentials', $allowCredentials);
+            if ($allowCredentials) {
+                $response->addHeader('Access-Control-Allow-Credentials', $allowCredentials);
+            }
             $maxAge = $this->getProperty('maxAge', '1728000');
-            $response->addHeader('Access-Control-Max-Age', $maxAge);
+            if ($maxAge) {
+                $response->addHeader('Access-Control-Max-Age', $maxAge);
+            }
+            $exposeHeaders = $this->getProperty('exposeHeaders', '');
+            if ($exposeHeaders) {
+                $response->addHeader('Access-Control-Expose-Headers', $exposeHeaders);
+            }
         } else {
             $response = $this->next->handle($request);
         }
         if ($origin) {
             $allowCredentials = $this->getProperty('allowCredentials', 'true');
-            $response->addHeader('Access-Control-Allow-Credentials', $allowCredentials);
+            if ($allowCredentials) {
+                $response->addHeader('Access-Control-Allow-Credentials', $allowCredentials);
+            }
             $response->addHeader('Access-Control-Allow-Origin', $origin);
         }
         return $response;
@@ -3359,6 +3323,9 @@ public function handle(Request $request): Response
             if (empty($claims)) {
                 return $this->responder->error(ErrorCode::AUTHENTICATION_FAILED, 'JWT');
             }
+            if (!headers_sent()) {
+                session_regenerate_id();
+            }
         }
         if (empty($_SESSION['claims'])) {
             $authenticationMode = $this->getProperty('mode', 'required');
@@ -3573,6 +3540,39 @@ public function handle(Request $request): Response
     }
 }
 
+// file: src/Tqdev/PhpCrudApi/Middleware/XsrfMiddleware.php
+
+class XsrfMiddleware extends Middleware
+{
+    private function getToken(): String
+    {
+        $cookieName = $this->getProperty('cookieName', 'XSRF-TOKEN');
+        if (isset($_COOKIE[$cookieName])) {
+            $token = $_COOKIE[$cookieName];
+        } else {
+            $secure = isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == 'on';
+            $token = bin2hex(random_bytes(8));
+            if (!headers_sent()) {
+                setcookie($cookieName, $token, 0, '', '', $secure);
+            }
+        }
+        return $token;
+    }
+
+    public function handle(Request $request): Response
+    {
+        $token = $this->getToken();
+        $method = $request->getMethod();
+        if (!in_array($method, ['OPTIONS', 'GET'])) {
+            $headerName = $this->getProperty('headerName', 'X-XSRF-TOKEN');
+            if ($token != $request->getHeader($headerName)) {
+                return $this->responder->error(ErrorCode::BAD_OR_MISSING_XSRF_TOKEN, '');
+            }
+        }
+        return $this->next->handle($request);
+    }
+}
+
 // file: src/Tqdev/PhpCrudApi/OpenApi/OpenApiBuilder.php
 
 class OpenApiBuilder
@@ -4236,6 +4236,7 @@ class ErrorCode
     const OPERATION_FORBIDDEN = 1014;
     const OPERATION_NOT_SUPPORTED = 1015;
     const TEMPORARY_OR_PERMANENTLY_BLOCKED = 1016;
+    const BAD_OR_MISSING_XSRF_TOKEN = 1017;
 
     private $values = [
         9999 => ["%s", Response::INTERNAL_SERVER_ERROR],
@@ -4256,6 +4257,7 @@ class ErrorCode
         1014 => ["Operation forbidden", Response::FORBIDDEN],
         1015 => ["Operation '%s' not supported", Response::METHOD_NOT_ALLOWED],
         1016 => ["Temporary or permanently blocked", Response::FORBIDDEN],
+        1017 => ["Bad or missing XSRF token", Response::FORBIDDEN],
     ];
 
     public function __construct(int $code)
@@ -5029,8 +5031,8 @@ public function __construct(Config $config)
                 case 'authorization':
                     new AuthorizationMiddleware($router, $responder, $properties, $reflection);
                     break;
-                case 'auth0':
-                    new Auth0Middleware($router, $responder, $properties, $reflection);
+                case 'xsrf':
+                    new XsrfMiddleware($router, $responder, $properties);
                     break;
                 case 'customization':
                     new CustomizationMiddleware($router, $responder, $properties, $reflection);
@@ -5395,7 +5397,7 @@ public function getHeader(String $key): String
             return $this->headers[$key];
         }
         if ($this->highPerformance) {
-            $serverKey = 'HTTP_' . strtoupper(str_replace('_', '-', $key));
+            $serverKey = 'HTTP_' . strtoupper(str_replace('-', '_', $key));
             if (isset($_SERVER[$serverKey])) {
                 return $_SERVER[$serverKey];
             }
@@ -5522,6 +5524,7 @@ public function __toString(): String
     'username' => 'php-crud-api',
     'password' => 'php-crud-api',
     'database' => 'php-crud-api',
+    'middlewares' => 'xsrf',
 ]);
 $request = new Request();
 $api = new Api($config);
 
@@ -10,7 +10,6 @@
 use Tqdev\PhpCrudApi\Controller\RecordController;
 use Tqdev\PhpCrudApi\Controller\Responder;
 use Tqdev\PhpCrudApi\Database\GenericDB;
-use Tqdev\PhpCrudApi\Middleware\Auth0Middleware;
 use Tqdev\PhpCrudApi\Middleware\AuthorizationMiddleware;
 use Tqdev\PhpCrudApi\Middleware\BasicAuthMiddleware;
 use Tqdev\PhpCrudApi\Middleware\CorsMiddleware;
@@ -21,6 +20,7 @@
 use Tqdev\PhpCrudApi\Middleware\Router\SimpleRouter;
 use Tqdev\PhpCrudApi\Middleware\SanitationMiddleware;
 use Tqdev\PhpCrudApi\Middleware\ValidationMiddleware;
+use Tqdev\PhpCrudApi\Middleware\XsrfMiddleware;
 use Tqdev\PhpCrudApi\OpenApi\OpenApiService;
 use Tqdev\PhpCrudApi\Record\ErrorCode;
 use Tqdev\PhpCrudApi\Record\RecordService;
@@ -71,8 +71,8 @@ public function __construct(Config $config)
                 case 'authorization':
                     new AuthorizationMiddleware($router, $responder, $properties, $reflection);
                     break;
-                case 'auth0':
-                    new Auth0Middleware($router, $responder, $properties, $reflection);
+                case 'xsrf':
+                    new XsrfMiddleware($router, $responder, $properties);
                     break;
                 case 'customization':
                     new CustomizationMiddleware($router, $responder, $properties, $reflection);
 
@@ -0,0 +1,25 @@
+<?php
+namespace Tqdev\PhpCrudApi\Middleware;
+
+use Tqdev\PhpCrudApi\Controller\Responder;
+use Tqdev\PhpCrudApi\Middleware\Base\Middleware;
+use Tqdev\PhpCrudApi\Record\ErrorCode;
+use Tqdev\PhpCrudApi\Request;
+use Tqdev\PhpCrudApi\Response;
+
+class AjaxOnlyMiddleware extends Middleware
+{
+    public function handle(Request $request): Response
+    {
+        $method = $request->getMethod();
+        $excludeMethods = $this->getProperty('excludeMethods', 'OPTIONS,GET');
+        if (!in_array($method, $excludeMethods)) {
+            $headerName = $this->getProperty('headerName', 'X-Requested-With');
+            $headerValue = $this->getProperty('headerValue', 'XMLHttpRequest');
+            if ($headerValue != $request->getHeader($headerName)) {
+                return $this->responder->error(ErrorCode::ONLY_AJAX_REQUESTS_ALLOWED, '');
+            }
+        }
+        return $this->next->handle($request);
+    }
+}
@@ -22,6 +22,11 @@ public function setNext(Handler $handler) /*: void*/
         $this->next = $handler;
     }
 
+    private function getArrayProperty(String $property, $default)
+    {
+        return isset($this->properties[$key]) ? array_filter(array_map('trim', explode(',', $this->properties[$key]))) : $default;
+    }
+
     protected function getProperty(String $key, $default)
     {
         return isset($this->properties[$key]) ? $this->properties[$key] : $default;
 
@@ -60,11 +60,6 @@ private function getVerifiedClaims(String $token, int $time, int $leeway, int $t
         return $claims;
     }
 
-    private function getArrayProperty(String $property, String $default): array
-    {
-        return array_filter(array_map('trim', explode(',', $this->getProperty($property, $default))));
-    }
-
     private function getClaims(String $token): array
     {
         $time = (int) $this->getProperty('time', time());
Original file line number	Diff line number	Diff line change
`@@ -22,6 +22,11 @@ public function setNext(Handler $handler) /: void/`
`22`	`22`	`$this->next = $handler;`
`23`	`23`	`}`
`24`	`24`
	`25`	`+ private function getArrayProperty(String $property, $default)`
	`26`	`+ {`
	`27`	`+ return isset($this->properties[$key]) ? array_filter(array_map('trim', explode(',', $this->properties[$key]))) : $default;`
	`28`	`+ }`
	`29`	`+`
`25`	`30`	`protected function getProperty(String $key, $default)`
`26`	`31`	`{`
`27`	`32`	`return isset($this->properties[$key]) ? $this->properties[$key] : $default;`
Original file line number	Diff line number	Diff line change
`@@ -60,11 +60,6 @@ private function getVerifiedClaims(String $token, int $time, int $leeway, int $t`
`60`	`60`	`return $claims;`
`61`	`61`	`}`
`62`	`62`
`63`		`- private function getArrayProperty(String $property, String $default): array`
`64`		`- {`
`65`		`- return array_filter(array_map('trim', explode(',', $this->getProperty($property, $default))));`
`66`		`- }`
`67`		`-`
`68`	`63`	`private function getClaims(String $token): array`
`69`	`64`	`{`
`70`	`65`	`$time = (int) $this->getProperty('time', time());`