Integratedd CSRF protection added

mirekmarek · mirekmarek · commit 084000e5e017 · 2023-01-24T17:11:02.000+01:00
diff --git a/_installer/views/form/field/input/csrf_protection.phtml b/_installer/views/form/field/input/csrf_protection.phtml
@@ -0,0 +1,17 @@
+<?php
+
+use Jet\MVC_View;
+use Jet\Form_Renderer_Field_Input;
+
+/**
+ * @var MVC_View $this
+ * @var Form_Renderer_Field_Input $r
+ */
+$r = $this->getRaw( 'renderer' );
+
+$field = $r->getField();
+if( $field->getLastErrorCode() ) {
+	$r->addCustomCssClass( 'is-invalid' );
+}
+?>
+<input type="hidden" name="<?= $field->getTagNameValue() ?>" id="<?= $field->getId() ?>" value="<?= $field->getValue() ?>"/>
diff --git a/_installer/views/form/start.phtml b/_installer/views/form/start.phtml
@@ -18,4 +18,7 @@ if(!$r->getBaseCssClasses()) {
 <form <?=$r->renderTagAttributes()?>>
 <?php if( !$form->getIsReadonly() ): ?>
 	<input type="hidden" name="<?=$form->getSentKey()?>" value="<?=$form->getName();?>">
-<?php endif; ?>
+	<?php if(($csrf_field=$form->getCSRFTokenField())):
+		echo $csrf_field;
+	endif;
+endif; ?>
diff --git a/_tools/studio/application/Classes/AccessControl.php b/_tools/studio/application/Classes/AccessControl.php
@@ -127,6 +127,7 @@ public static function getLoginForm(): Form
 				$password_field,
 			]
 		);
+		$form->enableCSRFProtection();
 
 		$form->getField( 'username' )->setIsRequired( true );
 		/**
diff --git a/_tools/studio/application/dictionaries/en_US/login.php b/_tools/studio/application/dictionaries/en_US/login.php
@@ -7,4 +7,5 @@
 	'password' => '',
 	'Logout' => '',
 	'Invalid username or password!' => '',
+	'Please enter username and password' => '',
 ];
diff --git a/_tools/studio/application/views/form/field/input/csrf_protection.phtml b/_tools/studio/application/views/form/field/input/csrf_protection.phtml
@@ -0,0 +1,17 @@
+<?php
+
+use Jet\MVC_View;
+use Jet\Form_Renderer_Field_Input;
+
+/**
+ * @var MVC_View $this
+ * @var Form_Renderer_Field_Input $r
+ */
+$r = $this->getRaw( 'renderer' );
+
+$field = $r->getField();
+if( $field->getLastErrorCode() ) {
+	$r->addCustomCssClass( 'is-invalid' );
+}
+?>
+<input type="hidden" name="<?= $field->getTagNameValue() ?>" id="<?= $field->getId() ?>" value="<?= $field->getValue() ?>"/>
diff --git a/_tools/studio/application/views/form/start.phtml b/_tools/studio/application/views/form/start.phtml
@@ -18,4 +18,7 @@ if(!$r->getBaseCssClasses()) {
 <form <?=$r->renderTagAttributes()?>>
 <?php if( !$form->getIsReadonly() ): ?>
 	<input type="hidden" name="<?=$form->getSentKey()?>" value="<?=$form->getName();?>">
-<?php endif; ?>
+	<?php if(($csrf_field=$form->getCSRFTokenField())):
+		echo $csrf_field;
+	endif;
+endif; ?>
diff --git a/application/Modules/Login/Admin/Main.php b/application/Modules/Login/Admin/Main.php
@@ -52,6 +52,7 @@ public function getLoginForm() : Form
 				$password_field,
 			]
 		);
+		$form->enableCSRFProtection();
 
 		$form->getField( 'username' )->setIsRequired( true );
 		/**
diff --git a/application/Modules/Login/Web/Main.php b/application/Modules/Login/Web/Main.php
@@ -53,6 +53,7 @@ public function getLoginForm() : Form
 				$password_field,
 			]
 		);
+		$form->enableCSRFProtection();
 
 		$form->getField( 'username' )->setIsRequired( true );
 		/**
diff --git a/application/Modules/Test/Forms/Controller/Main.php b/application/Modules/Test/Forms/Controller/Main.php
@@ -384,16 +384,20 @@ function( array $files ) {
 
 
 		$forms = [];
+		
+		$common_form = new Form(
+			'common_form', [
+				$input_field,
+				$validated_input_field,
+			]
+		);
+		$common_form->enableCSRFProtection();
 
 		$forms['common_form'] = [
 			'title' => Tr::_( 'Common form' ),
-			'form'  => new Form(
-				'common_form', [
-					$input_field,
-					$validated_input_field,
-				]
-			),
+			'form'  => $common_form,
 		];
+		
 
 		$forms['numbers_form'] = [
 			'title' => Tr::_( 'Number form' ),
diff --git a/application/Modules/Test/Forms/views/test-forms/form.phtml b/application/Modules/Test/Forms/views/test-forms/form.phtml
@@ -1,6 +1,7 @@
 <?php
 
 use Jet\Form;
+use Jet\Form_Field;
 use Jet\Form_Renderer;
 use Jet\Tr;
 use Jet\MVC_View;
@@ -22,7 +23,10 @@ $form->renderer()->setDefaultFieldWidth([
 ?>
 <?= $form->start() ?>
 
-<?php foreach( $form->getFields() as $field ) echo $field; ?>
+<?php foreach( $form->getFields() as $field ):
+	echo $field;
+endforeach;
+?>
 
 <?php if( !$form->getIsReadonly() ): ?>
 	<div class="row">
diff --git a/application/bases/admin/views/form/field/input/csrf_protection.phtml b/application/bases/admin/views/form/field/input/csrf_protection.phtml
@@ -0,0 +1,17 @@
+<?php
+
+use Jet\MVC_View;
+use Jet\Form_Renderer_Field_Input;
+
+/**
+ * @var MVC_View $this
+ * @var Form_Renderer_Field_Input $r
+ */
+$r = $this->getRaw( 'renderer' );
+
+$field = $r->getField();
+if( $field->getLastErrorCode() ) {
+	$r->addCustomCssClass( 'is-invalid' );
+}
+?>
+<input type="hidden" name="<?= $field->getTagNameValue() ?>" id="<?= $field->getId() ?>" value="<?= $field->getValue() ?>"/>
diff --git a/application/bases/admin/views/form/start.phtml b/application/bases/admin/views/form/start.phtml
@@ -18,4 +18,7 @@ if(!$r->getBaseCssClasses()) {
 <form <?=$r->renderTagAttributes()?>>
 <?php if( !$form->getIsReadonly() ): ?>
 	<input type="hidden" name="<?=$form->getSentKey()?>" value="<?=$form->getName();?>">
-<?php endif; ?>
+	<?php if(($csrf_field=$form->getCSRFTokenField())):
+		echo $csrf_field;
+	endif;
+endif; ?>
diff --git a/application/bases/web/views/form/field/input/csrf_protection.phtml b/application/bases/web/views/form/field/input/csrf_protection.phtml
@@ -0,0 +1,17 @@
+<?php
+
+use Jet\MVC_View;
+use Jet\Form_Renderer_Field_Input;
+
+/**
+ * @var MVC_View $this
+ * @var Form_Renderer_Field_Input $r
+ */
+$r = $this->getRaw( 'renderer' );
+
+$field = $r->getField();
+if( $field->getLastErrorCode() ) {
+	$r->addCustomCssClass( 'is-invalid' );
+}
+?>
+<input type="hidden" name="<?= $field->getTagNameValue() ?>" id="<?= $field->getId() ?>" value="<?= $field->getValue() ?>"/>
diff --git a/application/bases/web/views/form/start.phtml b/application/bases/web/views/form/start.phtml
@@ -18,4 +18,7 @@ if(!$r->getBaseCssClasses()) {
 <form <?=$r->renderTagAttributes()?>>
 <?php if( !$form->getIsReadonly() ): ?>
 	<input type="hidden" name="<?=$form->getSentKey()?>" value="<?=$form->getName();?>">
-<?php endif; ?>
+	<?php if(($csrf_field=$form->getCSRFTokenField())):
+		echo $csrf_field;
+	endif;
+endif; ?>
diff --git a/library/Jet/Factory/Form.php b/library/Jet/Factory/Form.php
@@ -16,6 +16,7 @@ class Factory_Form
 	
 	protected static array $field_class_names = [
 		Form_Field::TYPE_HIDDEN       => Form_Field_Hidden::class,
+		Form_Field::TYPE_CSRF_PROTECTION => Form_Field_CSRFProtection::class,
 		Form_Field::TYPE_INPUT        => Form_Field_Input::class,
 		Form_Field::TYPE_INT          => Form_Field_Int::class,
 		Form_Field::TYPE_FLOAT        => Form_Field_Float::class,
@@ -51,6 +52,15 @@ class Factory_Form
 			'label'     => Form_Renderer_Field_Label::class,
 			'row'       => Form_Renderer_Field_Row::class,
 		],
+		Form_Field::TYPE_CSRF_PROTECTION       => [
+			'field'     => Form_Renderer_Field::class,
+			'container' => Form_Renderer_Field_Container::class,
+			'error'     => Form_Renderer_Field_Error::class,
+			'help'      => Form_Renderer_Field_Help::class,
+			'input'     => Form_Renderer_Field_Input_Common::class,
+			'label'     => Form_Renderer_Field_Label::class,
+			'row'       => Form_Renderer_Field_Row::class,
+		],
 		Form_Field::TYPE_INPUT        => [
 			'field'     => Form_Renderer_Field::class,
 			'container' => Form_Renderer_Field_Container::class,
diff --git a/library/Jet/Form.php b/library/Jet/Form.php
@@ -172,16 +172,44 @@ public function getFields( bool $as_multidimensional_array = false ): array
 	{
 		if( $as_multidimensional_array ) {
 			$fields = new Data_Array();
-
+			
 			foreach( $this->fields as $field ) {
+				if($field->getType()==Form_Field::TYPE_CSRF_PROTECTION) {
+					continue;
+				}
 				$fields->set( $field->getName(), $field );
 			}
-
+			
 			return $fields->getRawData();
-
+			
 		}
-
-		return $this->fields;
+		
+		$fields = [];
+		
+		foreach($this->fields as $k=>$field) {
+			if($field->getType()==Form_Field::TYPE_CSRF_PROTECTION) {
+				continue;
+			}
+			
+			$fields[$k] = $field;
+		}
+		
+		return $fields;
+	}
+	
+	/**
+	 * @return Form_Field|null
+	 */
+	public function getCSRFTokenField() : ?Form_Field
+	{
+		foreach($this->fields as $k=>$field) {
+			if($field->getType()==Form_Field::TYPE_CSRF_PROTECTION) {
+				return $field;
+			}
+		}
+		
+		
+		return null;
 	}
 	
 	/**
@@ -385,6 +413,17 @@ public function getId(): string
 	{
 		return $this->name;
 	}
+	
+	public function enableCSRFProtection() : void
+	{
+		foreach($this->fields as $field) {
+			if($field->getType()==Form_Field::TYPE_CSRF_PROTECTION) {
+				return;
+			}
+		}
+		
+		$this->addField( Factory_Form::getFieldInstance( Form_Field::TYPE_CSRF_PROTECTION, '' ) );
+	}
 
 	/**
 	 * @param Form_Field $field
@@ -604,7 +643,8 @@ public function getValues(): array|bool
 		foreach( $this->fields as $key => $field ) {
 			if(
 				$field->getIsReadonly() ||
-				!$field->hasValue()
+				!$field->hasValue() ||
+				$field->getType()==Form_Field::TYPE_CSRF_PROTECTION
 			) {
 				continue;
 			}
diff --git a/library/Jet/Form/Field.php b/library/Jet/Form/Field.php
@@ -54,6 +54,8 @@ abstract class Form_Field extends BaseObject implements JsonSerializable
 	const TYPE_FILE = 'File';
 	const TYPE_FILE_IMAGE = 'FileImage';
 	
+	const TYPE_CSRF_PROTECTION = 'CSRFProtection';
+	
 	
 	use Form_Field_Trait_Validation;
 	use Form_Field_Trait_Render;
diff --git a/library/Jet/Form/Field/CSRFProtection.php b/library/Jet/Form/Field/CSRFProtection.php
@@ -0,0 +1,84 @@
+<?php
+/**
+ *
+ * @copyright Copyright (c) Miroslav Marek <mirek.marek@web-jet.cz>
+ * @license http://www.php-jet.net/license/license.txt
+ * @author Miroslav Marek <mirek.marek@web-jet.cz>
+ */
+
+namespace Jet;
+
+/**
+ *
+ */
+class Form_Field_CSRFProtection extends Form_Field
+{
+	/**
+	 * @var string
+	 */
+	protected string $_type = Form_Field::TYPE_CSRF_PROTECTION;
+	
+	protected ?Session $session = null;
+	
+	/**
+	 * @return array
+	 */
+	public function getRequiredErrorCodes(): array
+	{
+		return [];
+	}
+	
+	public function __construct( string $name='', string $label = '' )
+	{
+		if(!$name) {
+			$name = SysConf_Jet_Form::getCSRFProtection_TokenFieldName();
+		}
+		
+		parent::__construct( $name, $label );
+	}
+	
+	/**
+	 * @return Session
+	 */
+	protected function getSession() : Session
+	{
+		if(!$this->session) {
+			$this->session = new Session(
+				SysConf_Jet_Form::getCSRFProtection_SessionNamePrefix()
+				.$this->getForm()->getName()
+			);
+		}
+		
+		return $this->session;
+	}
+	
+	protected function generateToken() : void
+	{
+		$generator = SysConf_Jet_Form::getCSRFProtection_TokenGenerator();
+
+		$this->getSession()->setValue('token', $generator() );
+	}
+	
+	public function getToken() : string
+	{
+		return $this->getSession()->getValue( 'token' );
+	}
+	
+	public function render(): string
+	{
+		$this->generateToken();
+		$this->setValue( $this->getToken() );
+		
+		return (string)$this->input();
+	}
+	
+	public function validate(): bool
+	{
+		if($this->getValueRaw()!=$this->getToken()) {
+			return false;
+		}
+		
+		$this->setIsValid();
+		return true;
+	}
+}
diff --git a/library/Jet/SysConf/Jet/Form.php b/library/Jet/SysConf/Jet/Form.php
diff --git a/library/Jet/SysConf/Jet/Form/DefaultViews.php b/library/Jet/SysConf/Jet/Form/DefaultViews.php

Original file line number	Diff line number	Diff line change
`@@ -127,6 +127,7 @@ public static function getLoginForm(): Form`
`127`	`127`	`$password_field,`
`128`	`128`	`]`
`129`	`129`	`);`
	`130`	`+ $form->enableCSRFProtection();`
`130`	`131`
`131`	`132`	`$form->getField( 'username' )->setIsRequired( true );`
`132`	`133`	`/**`
Original file line number	Diff line number	Diff line change
`@@ -52,6 +52,7 @@ public function getLoginForm() : Form`
`52`	`52`	`$password_field,`
`53`	`53`	`]`
`54`	`54`	`);`
	`55`	`+ $form->enableCSRFProtection();`
`55`	`56`
`56`	`57`	`$form->getField( 'username' )->setIsRequired( true );`
`57`	`58`	`/**`
Original file line number	Diff line number	Diff line change
`@@ -53,6 +53,7 @@ public function getLoginForm() : Form`
`53`	`53`	`$password_field,`
`54`	`54`	`]`
`55`	`55`	`);`
	`56`	`+ $form->enableCSRFProtection();`
`56`	`57`
`57`	`58`	`$form->getField( 'username' )->setIsRequired( true );`
`58`	`59`	`/**`