Removed log location configuration

Updated readme
Correct .htaccess file to examples
Added CSRF validation to example
Format code

Author: Guido Gröön

README.md

@@ -35,17 +35,14 @@ Add the following lines to `composer.json` to include the Web eID authentication
 
 ### Configure the log file location
 
-Define the constant `LOGFILE` for log file location.
+By default, log entries are written to the server log. If there is a need to collect log entries in a separate file, define the constant `LOGFILE` for the log file location.
 
+Example:
 ```php
 define("LOGFILE", dirname(__FILE__) . "/../log/web-eid-authtoken-validation-php.log");
 ```
 
-In case, when you don't want to collect log at all, define this constant like so:
-
-```php
-define("LOGFILE", false);
-```
+It is essential, that your log file directory has write access.
 
 ## 2. Configure the challenge nonce store
 
@@ -231,44 +228,6 @@ The Web eID authentication token validation library for PHP contains the impleme
 
 The authentication protocol, authentication token format, validation requirements and challenge nonce usage is described in more detail in the [Web eID system architecture document](https://github.com/web-eid/web-eid-system-architecture-doc#authentication-1).
 
-# Authentication token format
-
-In the following, 
-
-- **origin** is defined as the website origin, the URL serving the web application,
-- **challenge nonce** (or challenge) is defined as a cryptographic nonce, a large random number that can be used only once, with at least 256 bits of entropy.
-
-The Web eID authentication token is a JSON data structure that looks like the following example:
-
-```json
-{
-  "unverifiedCertificate": "MIIFozCCA4ugAwIBAgIQHFpdK-zCQsFW4...",
-  "algorithm": "RS256",
-  "signature": "HBjNXIaUskXbfhzYQHvwjKDUWfNu4yxXZha...",
-  "format": "web-eid:1.0",
-  "appVersion": "https://web-eid.eu/web-eid-app/releases/v2.0.0"
-}
-```
-
-It contains the following fields:
-
-- `unverifiedCertificate`: the base64-encoded DER-encoded authentication certificate of the eID user; the public key contained in this certificate should be used to verify the signature; the certificate cannot be trusted as it is received from client side and the client can submit a malicious certificate; to establish trust, it must be verified that the certificate is signed by a trusted certificate authority,
-
-- `algorithm`: the signature algorithm used to produce the signature; the allowed values are the algorithms specified in [JWA RFC](https://www.ietf.org/rfc/rfc7518.html) sections 3.3, 3.4 and 3.5:
-
-    ```
-      "ES256", "ES384", "ES512", // ECDSA
-      "PS256", "PS384", "PS512", // RSASSA-PSS
-      "RS256", "RS384", "RS512"  // RSASSA-PKCS1-v1_5
-    ```
-
-- `signature`: the base64-encoded signature of the token (see the description below),
-
-- `format`: the type identifier and version of the token format separated by a colon character '`:`', `web-eid:1.0` as of now; the version number consists of the major and minor number separated by a dot, major version changes are incompatible with previous versions, minor version changes are backwards-compatible within the given major version,
-
-- `appVersion`: the URL identifying the name and version of the application that issued the token; informative purpose, can be used to identify the affected application in case of faulty tokens.
-
-The value that is signed by the user’s authentication private key and included in the `signature` field is `hash(origin)+hash(challenge)`. The hash function is used before concatenation to ensure field separation as the hash of a value is guaranteed to have a fixed length. Otherwise the origin `example.com` with challenge nonce `.eu1234` and another origin `example.com.eu` with challenge nonce `1234` would result in the same value after concatenation. The hash function `hash` is the same hash function that is used in the signature algorithm, for example SHA256 in case of RS256.
 
 # Authentication token validation
 

composer.json

@@ -16,9 +16,6 @@
         "psr-4": {
             "web_eid\\web_eid_authtoken_validation_php\\": ["src"]
         },
-        "files": [
-            "config/configuration.php"
-        ],
         "classmap": [
             "src/util/CollectionsUtil.php"
         ]

config/configuration.php

@@ -1,4 +1,5 @@
 RewriteEngine on
 RewriteCond %{REQUEST_FILENAME} !-f
-RewriteCond %{REQUEST_FILENAME}/ !-f
+RewriteCond %{REQUEST_FILENAME} !.(ico,css,js,jpg,gif,png)$
+RewriteCond %{REQUEST_FILENAME} !-d
 RewriteRule . index.php [L]

examples/public/.htaccess

@@ -1,13 +1,35 @@
 <?php
 
+/*
+ * Copyright (c) 2020-2021 Estonian Information System Authority
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
 header('Content-type: text/html; charset=UTF-8');
 
 session_start();
 
-// Define the log location
-define("LOGFILE", dirname(__FILE__) . "/../log/web-eid-authtoken-validation-php.log");
+// Uncomment following line to define the custom log location (by default the server log is used)
+//define("LOGFILE", dirname(__FILE__) . "/../log/web-eid-authtoken-validation-php.log");
 
 require __DIR__ . '/../vendor/autoload.php';
 
 $router = new Router();
-$router->init();
+$router->init();

examples/public/index.php

@@ -1,5 +1,27 @@
 <?php
 
+/*
+ * Copyright (c) 2020-2021 Estonian Information System Authority
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
 use web_eid\web_eid_authtoken_validation_php\authtoken\WebEidAuthToken;
 use web_eid\web_eid_authtoken_validation_php\certificate\CertificateData;
 use web_eid\web_eid_authtoken_validation_php\certificate\CertificateLoader;
@@ -17,7 +39,8 @@ class Auth
     public function trustedIntermediateCACertificates(): array
     {
         return CertificateLoader::loadCertificatesFromResources(
-            __DIR__ . "/../certificates/esteid2018.der.crt", __DIR__ . "/../certificates/ESTEID-SK_2015.der.crt"
+            __DIR__ . "/../certificates/esteid2018.der.crt",
+            __DIR__ . "/../certificates/ESTEID-SK_2015.der.crt"
         );
     }
 
@@ -40,29 +63,35 @@ public function tokenValidator(): AuthTokenValidator
      * Get challenge nonce
      *
      * @return string
-     */    
+     */
     public function getNonce()
     {
         try {
             header('Content-Type: application/json; charset=utf-8');
-            $generator = $this->generator();
-            $challengeNonce = $generator->generateAndStoreNonce();
+            $challengeNonce = $this->generator()->generateAndStoreNonce();
             $responseArr = [];
-            $responseArr["nonce"] = $challengeNonce->getBase64EncodedNonce();
+            $responseArr = ["nonce" => $challengeNonce->getBase64EncodedNonce()];
             echo json_encode($responseArr);
         } catch (Exception $e) {
             header("HTTP/1.0 400 Bad Request");
-            echo $e->getMessage();
+            echo "Nonce generation failed";
         }
     }
 
     /**
      * Authenticate
      *
      * @return string
-     */    
+     */
     public function validate()
     {
+        $headers = getallheaders();
+        if (!isset($headers["X-CSRF-TOKEN"]) || ($headers["X-CSRF-TOKEN"] != $_SESSION["csrf-token"])) {
+            header("HTTP/1.0 405 Method Not Allowed");
+            echo "Unable to process your request";
+            return;
+        }
+
         $authToken = file_get_contents('php://input');
 
         try {
@@ -72,11 +101,8 @@ public function validate()
 
             try {
 
-                // Build token validator
-                $tokenValidator = $this->tokenValidator();
-
                 // Validate token
-                $cert = $tokenValidator->validate(new WebEidAuthToken($authToken), $challengeNonce->getBase64EncodedNonce());
+                $cert = $this->tokenValidator()->validate(new WebEidAuthToken($authToken), $challengeNonce->getBase64EncodedNonce());
 
                 session_regenerate_id();
 
@@ -88,15 +114,13 @@ public function validate()
                 $_SESSION["auth-user"] = $subjectName;
 
                 echo json_encode($result);
-
             } catch (Exception $e) {
                 header("HTTP/1.0 400 Bad Request");
-                echo $e->getMessage();
+                echo "Validation failed";
             }
-
         } catch (ChallengeNonceExpiredException $e) {
             header("HTTP/1.0 400 Bad Request");
-            echo $e->getMessage();
+            echo "Challenge nonce not found or expired";
         }
     }
 
@@ -111,5 +135,4 @@ public function logout()
         // Redirect to login
         header("location:/");
     }
-
-}
+}

examples/src/Auth.php

@@ -1,5 +1,27 @@
 <?php
 
+/*
+ * Copyright (c) 2020-2021 Estonian Information System Authority
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
 class Pages
 {
     var $template;
@@ -10,21 +32,32 @@ public function __construct()
         $this->template = new Template();
     }
 
+    private function _generateToken()
+    {
+        // Store token to session
+        $_SESSION["csrf-token"] = bin2hex(random_bytes(32));
+        return $_SESSION["csrf-token"];
+    }
+
     public function login()
     {
-        $this->data['content'] = $this->template->getHtml(__DIR__ . '/../tpl/login.phtml');
+        $this->data = [
+            "content" => $this->template->getHtml(__DIR__ . '/../tpl/login.phtml')
+        ];
     }
 
     public function welcome()
     {
         $data = [];
-        $data["auth_user"] = $_SESSION["auth-user"];
-        $this->data['content'] = $this->template->getHtml(__DIR__ . '/../tpl/welcome.phtml', $data);
+        $data = ["auth_user" => $_SESSION["auth-user"]];
+        $this->data = [
+            "content" => $this->template->getHtml(__DIR__ . '/../tpl/welcome.phtml', $data)
+        ];
     }
 
     public function __destruct()
     {
+        $this->data["token"] = $this->_generateToken();;
         echo $this->template->getHtml(__DIR__ . '/../tpl/site.phtml', $this->data);
     }
-
-}
+}

examples/src/Pages.php

@@ -1,4 +1,27 @@
 <?php
+
+/*
+ * Copyright (c) 2020-2021 Estonian Information System Authority
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
 /* App router */
 
 class Router
@@ -10,19 +33,19 @@ public function init()
         $router->setBasePath('');
 
         // Page routes
-        $router->map('GET', '', ['controller' => 'Pages', 'method' => 'login']);
+        //$router->map('GET', '', ['controller' => 'Pages', 'method' => 'login']);
         $router->map('GET', '/', ['controller' => 'Pages', 'method' => 'login']);
         $router->map('GET', '/logout', ['controller' => 'Auth', 'method' => 'logout']);
 
+        // Web eID routes
+        $router->map('GET', '/nonce', ['controller' => 'Auth', 'method' => 'getNonce']);
+        $router->map('POST', '/validate', ['controller' => 'Auth', 'method' => 'validate']);
+
         // Allow route only for authenticated users
         if (isset($_SESSION["auth-user"])) {
             $router->map('GET', '/welcome', ['controller' => 'Pages', 'method' => 'welcome']);
         }
 
-        // Web eID routes
-        $router->map('GET', '/nonce', ['controller' => 'Auth', 'method' => 'getNonce']);
-        $router->map('POST', '/validate', ['controller' => 'Auth', 'method' => 'validate']);
-        
         $match = $router->match();
 
         if (!$match) {
@@ -35,7 +58,6 @@ public function init()
         $controller = new $match['target']['controller'];
         $method = $match['target']['method'];
 
-        call_user_func([$controller, $method], $match['params'], []);        
-
+        call_user_func([$controller, $method], $match['params'], []);
     }
-}
+}

examples/src/Router.php

@@ -15,7 +15,5 @@ public function getHtml($template, $data = [])
             return $contents;
         }
         throw new Exception("Could not load template file " . $template);
-    
     }
-
-}
+}