Review commit

Author: Guido Gröön

README.md

@@ -35,16 +35,26 @@ Add the following lines to `composer.json` to include the Web eID authentication
 ]
 ```
 
-### Configure the log file location
+### Logging
 
-By default, log entries are written to the server log. If there is a need to collect log entries in a separate file, define the constant `LOGFILE` for the log file location.
+For logging, you have to create `LoggerInterface` and use it on `AuthTokenValidatorBuilder` initialization.
 
-Example:
+Example logger interface with Monolog:
 ```php
-define("LOGFILE", dirname(__FILE__) . "/../log/web-eid-authtoken-validation-php.log");
-```
+use Monolog\Level;
+use Monolog\Logger;
+use Monolog\Handler\StreamHandler;
 
-It is essential, that your log file directory has write access.
+...
+$log = new Logger("general");
+$log->pushHandler(new StreamHandler("/some/path/app.log", Level::Debug));
+
+return (new AuthTokenValidatorBuilder($log))
+      ->withSiteOrigin(new Uri("https://example.org"))
+      ->withTrustedCertificateAuthorities(...self::trustedIntermediateCACertificates())
+      ->build();
+```
+Read more about [LoggerInterface](https://www.php-fig.org/psr/psr-3/) and take a look from examples directory.
 
 ## 2. Configure the challenge nonce store
 
@@ -90,15 +100,15 @@ public function trustedIntermediateCACertificates(): array
 Once the prerequisites have been met, the authentication token validator itself can be configured. The mandatory parameters are the website origin and trusted certificate authorities. The authentication token validator will be used in the login processing component of your web application authentication framework
 
 ```php
-use web_eid\web_eid_authtoken_validation_php\util\Uri;
+use GuzzleHttp\Psr7\Uri;
 use web_eid\web_eid_authtoken_validation_php\validator\AuthTokenValidator;
 use web_eid\web_eid_authtoken_validation_php\validator\AuthTokenValidatorBuilder;
 
 ...
 public function tokenValidator(): AuthTokenValidator
 {
     return (new AuthTokenValidatorBuilder())
-      ->withSiteOrigin(new Uri('https://example.org'))
+      ->withSiteOrigin(new Uri("https://example.org"))
       ->withTrustedCertificateAuthorities(...self::trustedIntermediateCACertificates())
       ->build();
 }
@@ -118,24 +128,24 @@ class Router
     {
 
         $router = new AltoRouter();
-        $router->setBasePath('');
+        $router->setBasePath("");
 
-        $router->map('GET', '', ['controller' => 'Pages', 'method' => 'login']);
-        $router->map('GET', '/nonce', ['controller' => 'Auth', 'method' => 'getNonce']);
+        $router->map("GET", "/", ["controller" => "Pages", "method" => "login"]);
+        $router->map("GET", "/nonce", ["controller" => "Auth", "method" => "getNonce"]);
 
         $match = $router->match();
 
         if (!$match) {
             // Redirect to main
-            header("location:/");
+            header('Location: /');
             return;
         }
 
 
-        $controller = new $match['target']['controller'];
-        $method = $match['target']['method'];
+        $controller = new $match["target"]["controller"];
+        $method = $match["target"]["method"];
 
-        call_user_func([$controller, $method], $match['params'], []);        
+        call_user_func([$controller, $method], $match["params"], []);
 
     }
 }
@@ -147,14 +157,13 @@ class Auth
     {
 
         try {
-            header('Content-Type: application/json; charset=utf-8');
+            header("Content-Type: application/json; charset=utf-8");
             $generator = $this->generator();
             $challengeNonce = $generator->generateAndStoreNonce();
-            $responseArr = [];
-            $responseArr["nonce"] = $challengeNonce->getBase64EncodedNonce();
+            $responseArr["nonce" => $challengeNonce->getBase64EncodedNonce()];
             echo json_encode($responseArr);
         } catch (Exception $e) {
-            header("HTTP/1.0 400 Bad Request");
+            header("HTTP/1.0 500 Internal Server Error");
             echo $e->getMessage();
         }
     }
@@ -222,6 +231,7 @@ See the complete example from the ***examples*** directory.
   - [Basic usage](#basic-usage-1)
   - [Extended configuration](#extended-configuration-1)  
 - [Example implementation](#example-implementation)
+- [Code formatting](#code-formatting)
 - [Testing](#testing)
 
 # Introduction
@@ -371,6 +381,18 @@ composer dump-autoload
 
 Please note, that there are no certificate files included in this example. You can find certificates from [here](https://www.skidsolutions.eu/en/repository/certs)
 
+# Code formatting
+
+We are using `Prettier` for code formatting. To install Prettier, use following command:
+
+```
+npm install --global prettier @prettier/plugin-php
+```
+Run command for code formatting:
+```
+composer fix-php
+```
+
 # Testing
 
 Run phpunit in the root directory to run all unit tests.

composer.json

@@ -33,6 +33,11 @@
     ],
     "require": {
         "phpseclib/phpseclib": "3.0.14",
-        "web_eid/ocsp_php": "dev-main"
+        "guzzlehttp/psr7": "2.4.3",
+        "web_eid/ocsp_php": "dev-development",
+        "psr/log": "^3.0"
+    },
+    "scripts": {
+        "fix-php": ["prettier src/**/* --write", "prettier examples/src/* --write"]
     }
 }

examples/composer.json

@@ -13,7 +13,9 @@
         "php": ">=7.4",
         "web_eid/web_eid_authtoken_validation_php": "dev-main",
         "web_eid/ocsp_php": "dev-main",
-        "altorouter/altorouter": "1.1.0"
+        "altorouter/altorouter": "1.1.0",
+        "guzzlehttp/psr7": "2.4.3",
+        "psr/log": "^3.0"
     },
     "autoload": {
         "classmap": ["src"]

examples/public/css/bootstrap.min.css

@@ -29,7 +29,7 @@
 use web_eid\web_eid_authtoken_validation_php\challenge\ChallengeNonceGeneratorBuilder;
 use web_eid\web_eid_authtoken_validation_php\challenge\ChallengeNonceStore;
 use web_eid\web_eid_authtoken_validation_php\exceptions\ChallengeNonceExpiredException;
-use web_eid\web_eid_authtoken_validation_php\util\Uri;
+use GuzzleHttp\Psr7\Uri;
 use web_eid\web_eid_authtoken_validation_php\validator\AuthTokenValidator;
 use web_eid\web_eid_authtoken_validation_php\validator\AuthTokenValidatorBuilder;
 
@@ -53,8 +53,11 @@ public function generator(): ChallengeNonceGenerator
 
     public function tokenValidator(): AuthTokenValidator
     {
-        return (new AuthTokenValidatorBuilder())
-            ->withSiteOrigin(new Uri('https://localhost:8443'))
+        $logger = new Logger();
+
+        return (new AuthTokenValidatorBuilder($logger))
+            // Change the URL when you run the example in your own machine.
+            ->withSiteOrigin(new Uri("https://localhost:8443"))
             ->withTrustedCertificateAuthorities(...self::trustedIntermediateCACertificates())
             ->build();
     }
@@ -67,13 +70,12 @@ public function tokenValidator(): AuthTokenValidator
     public function getNonce()
     {
         try {
-            header('Content-Type: application/json; charset=utf-8');
+            header("Content-Type: application/json; charset=utf-8");
             $challengeNonce = $this->generator()->generateAndStoreNonce();
-            $responseArr = [];
             $responseArr = ["nonce" => $challengeNonce->getBase64EncodedNonce()];
             echo json_encode($responseArr);
         } catch (Exception $e) {
-            header("HTTP/1.0 400 Bad Request");
+            header("HTTP/1.0 500 Internal Server Error");
             echo "Nonce generation failed";
         }
     }
@@ -88,11 +90,11 @@ public function validate()
         $headers = getallheaders();
         if (!isset($headers["X-CSRF-TOKEN"]) || ($headers["X-CSRF-TOKEN"] != $_SESSION["csrf-token"])) {
             header("HTTP/1.0 405 Method Not Allowed");
-            echo "Unable to process your request";
+            echo "CSRF token missing, unable to process your request";
             return;
         }
 
-        $authToken = file_get_contents('php://input');
+        $authToken = file_get_contents("php://input");
 
         try {
 
@@ -108,7 +110,7 @@ public function validate()
 
                 $subjectName = CertificateData::getSubjectGivenName($cert) . " " . CertificateData::getSubjectSurname($cert);
                 $result = [
-                    'sub' => $subjectName
+                    "sub" => $subjectName
                 ];
 
                 $_SESSION["auth-user"] = $subjectName;
@@ -133,6 +135,6 @@ public function logout()
         unset($_SESSION["auth-user"]);
         session_regenerate_id();
         // Redirect to login
-        header("location:/");
+        header("Location: /");
     }
 }

examples/public/css/bootstrap.min.css.map

@@ -0,0 +1,83 @@
+<?php
+
+/*
+ * Copyright (c) 2020-2021 Estonian Information System Authority
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+use Psr\Log\LoggerInterface;
+use Psr\Log\LogLevel;
+
+class Logger implements LoggerInterface
+{
+    public function emergency(string|\Stringable $message, array $context = []): void
+    {
+        $this->log(LogLevel::EMERGENCY, $message, $context);
+    }
+
+    public function alert(string|\Stringable $message, array $context = []): void
+    {
+        $this->log(LogLevel::ALERT, $message, $context);
+    }
+
+    public function critical(string|\Stringable $message, array $context = []): void
+    {
+        $this->log(LogLevel::CRITICAL, $message, $context);
+    }
+
+    public function error(string|\Stringable $message, array $context = []): void
+    {
+        $this->log(LogLevel::ERROR, $message, $context);
+    }
+
+    public function warning(string|\Stringable $message, array $context = []): void
+    {
+        $this->log(LogLevel::WARNING, $message, $context);
+    }
+
+    public function notice(string|\Stringable $message, array $context = []): void
+    {
+        $this->log(LogLevel::NOTICE, $message, $context);
+    }
+
+    public function info(string|\Stringable $message, array $context = []): void
+    {
+        $this->log(LogLevel::INFO, $message, $context);
+    }
+
+    public function debug(string|\Stringable $message, array $context = []): void
+    {
+        $this->log(LogLevel::DEBUG, $message, $context);
+    }
+
+    public function log($level, string|\Stringable $message, array $context = []): void
+    {
+        // Build the message with the current date, log level, 
+        // and the string from the arguments
+        $message = sprintf(
+            '%s: %s%s',
+            $level,
+            $message,
+            PHP_EOL // Line break
+        );
+
+        error_log($message, 0);
+    }
+}

examples/src/Auth.php

@@ -32,7 +32,7 @@ public function __construct()
         $this->template = new Template();
     }
 
-    private function _generateToken()
+    private function _generateCsrfToken()
     {
         // Store token to session
         $_SESSION["csrf-token"] = bin2hex(random_bytes(32));
@@ -48,7 +48,6 @@ public function login()
 
     public function welcome()
     {
-        $data = [];
         $data = ["auth_user" => $_SESSION["auth-user"]];
         $this->data = [
             "content" => $this->template->getHtml(__DIR__ . '/../tpl/welcome.phtml', $data)
@@ -57,7 +56,7 @@ public function welcome()
 
     public function __destruct()
     {
-        $this->data["token"] = $this->_generateToken();;
+        $this->data["token"] = $this->_generateCsrfToken();;
         echo $this->template->getHtml(__DIR__ . '/../tpl/site.phtml', $this->data);
     }
 }

examples/src/Logger.php

@@ -30,34 +30,33 @@ public function init()
     {
 
         $router = new AltoRouter();
-        $router->setBasePath('');
+        $router->setBasePath("");
 
         // Page routes
-        //$router->map('GET', '', ['controller' => 'Pages', 'method' => 'login']);
-        $router->map('GET', '/', ['controller' => 'Pages', 'method' => 'login']);
-        $router->map('GET', '/logout', ['controller' => 'Auth', 'method' => 'logout']);
+        $router->map("GET", "/", ["controller" => "Pages", "method" => "login"]);
+        $router->map("GET", "/logout", ["controller" => "Auth", "method" => "logout"]);
 
         // Web eID routes
-        $router->map('GET', '/nonce', ['controller' => 'Auth', 'method' => 'getNonce']);
-        $router->map('POST', '/validate', ['controller' => 'Auth', 'method' => 'validate']);
+        $router->map("GET", "/nonce", ["controller" => "Auth", "method" => "getNonce"]);
+        $router->map("POST", "/validate", ["controller" => "Auth", "method" => "validate"]);
 
         // Allow route only for authenticated users
         if (isset($_SESSION["auth-user"])) {
-            $router->map('GET', '/welcome', ['controller' => 'Pages', 'method' => 'welcome']);
+            $router->map("GET", "/welcome", ["controller" => "Pages", "method" => "welcome"]);
         }
 
         $match = $router->match();
 
         if (!$match) {
             // Redirect to login
-            header("location:/");
+            header("Location: /");
             return;
         }
 
 
-        $controller = new $match['target']['controller'];
-        $method = $match['target']['method'];
+        $controller = new $match["target"]["controller"];
+        $method = $match["target"]["method"];
 
-        call_user_func([$controller, $method], $match['params'], []);
+        call_user_func([$controller, $method], $match["params"], []);
     }
 }