dsh/slovocast
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add the form key middleware to registering the user

Browse Source
This commit is contained in:
Dave Smith-Hayes 2024-12-02 17:42:06 +00:00
parent 4a85bcac8c
commit 2d58ed9d19
4 changed files with 50 additions and 40 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

65
app/composer.lock generated
View File

@ -3224,16 +3224,16 @@
}, },
{ {
"name": "symfony/config", "name": "symfony/config",
"version": "v7.1.7", "version": "v7.2.0",
"source": { "source": {
"type": "git", "type": "git",
"url": "https://github.com/symfony/config.git", "url": "https://github.com/symfony/config.git",
"reference": "dc373a5cbd345354696f5dfd39c5c7a8ea23f4c8" "reference": "bcd3c4adf0144dee5011bb35454728c38adec055"
}, },
"dist": { "dist": {
"type": "zip", "type": "zip",
"url": "https://api.github.com/repos/symfony/config/zipball/dc373a5cbd345354696f5dfd39c5c7a8ea23f4c8", "url": "https://api.github.com/repos/symfony/config/zipball/bcd3c4adf0144dee5011bb35454728c38adec055",
"reference": "dc373a5cbd345354696f5dfd39c5c7a8ea23f4c8", "reference": "bcd3c4adf0144dee5011bb35454728c38adec055",
"shasum": "" "shasum": ""
}, },
"require": { "require": {
@ -3279,7 +3279,7 @@
"description": "Helps you find, load, combine, autofill and validate configuration values of any kind", "description": "Helps you find, load, combine, autofill and validate configuration values of any kind",
"homepage": "https://symfony.com", "homepage": "https://symfony.com",
"support": { "support": {
"source": "https://github.com/symfony/config/tree/v7.1.7" "source": "https://github.com/symfony/config/tree/v7.2.0"
}, },
"funding": [ "funding": [
{ {
@ -3295,20 +3295,20 @@
"type": "tidelift" "type": "tidelift"
} }
], ],
"time": "2024-11-04T11:34:07+00:00" "time": "2024-11-04T11:36:24+00:00"
}, },
{ {
"name": "symfony/console", "name": "symfony/console",
"version": "v7.1.8", "version": "v7.2.0",
"source": { "source": {
"type": "git", "type": "git",
"url": "https://github.com/symfony/console.git", "url": "https://github.com/symfony/console.git",
"reference": "ff04e5b5ba043d2badfb308197b9e6b42883fcd5" "reference": "23c8aae6d764e2bae02d2a99f7532a7f6ed619cf"
}, },
"dist": { "dist": {
"type": "zip", "type": "zip",
"url": "https://api.github.com/repos/symfony/console/zipball/ff04e5b5ba043d2badfb308197b9e6b42883fcd5", "url": "https://api.github.com/repos/symfony/console/zipball/23c8aae6d764e2bae02d2a99f7532a7f6ed619cf",
"reference": "ff04e5b5ba043d2badfb308197b9e6b42883fcd5", "reference": "23c8aae6d764e2bae02d2a99f7532a7f6ed619cf",
"shasum": "" "shasum": ""
}, },
"require": { "require": {
@ -3372,7 +3372,7 @@
"terminal" "terminal"
], ],
"support": { "support": {
"source": "https://github.com/symfony/console/tree/v7.1.8" "source": "https://github.com/symfony/console/tree/v7.2.0"
}, },
"funding": [ "funding": [
{ {
@ -3388,7 +3388,7 @@
"type": "tidelift" "type": "tidelift"
} }
], ],
"time": "2024-11-06T14:23:19+00:00" "time": "2024-11-06T14:24:19+00:00"
}, },
{ {
"name": "symfony/deprecation-contracts", "name": "symfony/deprecation-contracts",
@ -3459,16 +3459,16 @@
}, },
{ {
"name": "symfony/filesystem", "name": "symfony/filesystem",
"version": "v7.1.6", "version": "v7.2.0",
"source": { "source": {
"type": "git", "type": "git",
"url": "https://github.com/symfony/filesystem.git", "url": "https://github.com/symfony/filesystem.git",
"reference": "c835867b3c62bb05c7fe3d637c871c7ae52024d4" "reference": "b8dce482de9d7c9fe2891155035a7248ab5c7fdb"
}, },
"dist": { "dist": {
"type": "zip", "type": "zip",
"url": "https://api.github.com/repos/symfony/filesystem/zipball/c835867b3c62bb05c7fe3d637c871c7ae52024d4", "url": "https://api.github.com/repos/symfony/filesystem/zipball/b8dce482de9d7c9fe2891155035a7248ab5c7fdb",
"reference": "c835867b3c62bb05c7fe3d637c871c7ae52024d4", "reference": "b8dce482de9d7c9fe2891155035a7248ab5c7fdb",
"shasum": "" "shasum": ""
}, },
"require": { "require": {
@ -3505,7 +3505,7 @@
"description": "Provides basic utilities for the filesystem", "description": "Provides basic utilities for the filesystem",
"homepage": "https://symfony.com", "homepage": "https://symfony.com",
"support": { "support": {
"source": "https://github.com/symfony/filesystem/tree/v7.1.6" "source": "https://github.com/symfony/filesystem/tree/v7.2.0"
}, },
"funding": [ "funding": [
{ {
@ -3521,7 +3521,7 @@
"type": "tidelift" "type": "tidelift"
} }
], ],
"time": "2024-10-25T15:11:02+00:00" "time": "2024-10-25T15:15:23+00:00"
}, },
{ {
"name": "symfony/polyfill-ctype", "name": "symfony/polyfill-ctype",
@ -4082,16 +4082,16 @@
}, },
{ {
"name": "symfony/string", "name": "symfony/string",
"version": "v7.1.8", "version": "v7.2.0",
"source": { "source": {
"type": "git", "type": "git",
"url": "https://github.com/symfony/string.git", "url": "https://github.com/symfony/string.git",
"reference": "591ebd41565f356fcd8b090fe64dbb5878f50281" "reference": "446e0d146f991dde3e73f45f2c97a9faad773c82"
}, },
"dist": { "dist": {
"type": "zip", "type": "zip",
"url": "https://api.github.com/repos/symfony/string/zipball/591ebd41565f356fcd8b090fe64dbb5878f50281", "url": "https://api.github.com/repos/symfony/string/zipball/446e0d146f991dde3e73f45f2c97a9faad773c82",
"reference": "591ebd41565f356fcd8b090fe64dbb5878f50281", "reference": "446e0d146f991dde3e73f45f2c97a9faad773c82",
"shasum": "" "shasum": ""
}, },
"require": { "require": {
@ -4149,7 +4149,7 @@
"utf8" "utf8"
], ],
"support": { "support": {
"source": "https://github.com/symfony/string/tree/v7.1.8" "source": "https://github.com/symfony/string/tree/v7.2.0"
}, },
"funding": [ "funding": [
{ {
@ -4165,20 +4165,20 @@
"type": "tidelift" "type": "tidelift"
} }
], ],
"time": "2024-11-13T13:31:21+00:00" "time": "2024-11-13T13:31:26+00:00"
}, },
{ {
"name": "twig/twig", "name": "twig/twig",
"version": "v3.15.0", "version": "v3.16.0",
"source": { "source": {
"type": "git", "type": "git",
"url": "https://github.com/twigphp/Twig.git", "url": "https://github.com/twigphp/Twig.git",
"reference": "2d5b3964cc21d0188633d7ddce732dc8e874db02" "reference": "475ad2dc97d65d8631393e721e7e44fb544f0561"
}, },
"dist": { "dist": {
"type": "zip", "type": "zip",
"url": "https://api.github.com/repos/twigphp/Twig/zipball/2d5b3964cc21d0188633d7ddce732dc8e874db02", "url": "https://api.github.com/repos/twigphp/Twig/zipball/475ad2dc97d65d8631393e721e7e44fb544f0561",
"reference": "2d5b3964cc21d0188633d7ddce732dc8e874db02", "reference": "475ad2dc97d65d8631393e721e7e44fb544f0561",
"shasum": "" "shasum": ""
}, },
"require": { "require": {
@ -4189,6 +4189,7 @@
"symfony/polyfill-php81": "^1.29" "symfony/polyfill-php81": "^1.29"
}, },
"require-dev": { "require-dev": {
"phpstan/phpstan": "^2.0",
"psr/container": "^1.0|^2.0", "psr/container": "^1.0|^2.0",
"symfony/phpunit-bridge": "^5.4.9|^6.4|^7.0" "symfony/phpunit-bridge": "^5.4.9|^6.4|^7.0"
}, },
@ -4232,7 +4233,7 @@
], ],
"support": { "support": {
"issues": "https://github.com/twigphp/Twig/issues", "issues": "https://github.com/twigphp/Twig/issues",
"source": "https://github.com/twigphp/Twig/tree/v3.15.0" "source": "https://github.com/twigphp/Twig/tree/v3.16.0"
}, },
"funding": [ "funding": [
{ {
@ -4244,7 +4245,7 @@
"type": "tidelift" "type": "tidelift"
} }
], ],
"time": "2024-11-17T15:59:19+00:00" "time": "2024-11-29T08:27:05+00:00"
}, },
{ {
"name": "vlucas/phpdotenv", "name": "vlucas/phpdotenv",
@ -6489,12 +6490,12 @@
], ],
"aliases": [], "aliases": [],
"minimum-stability": "stable", "minimum-stability": "stable",
"stability-flags": [], "stability-flags": {},
"prefer-stable": false, "prefer-stable": false,
"prefer-lowest": false, "prefer-lowest": false,
"platform": { "platform": {
"ext-pdo": "*" "ext-pdo": "*"
}, },
"platform-dev": [], "platform-dev": {},
"plugin-api-version": "2.6.0" "plugin-api-version": "2.6.0"
} }

1
app/src/Controller/User/RegisterUserAction.php
View File

@ -27,7 +27,6 @@ class RegisterUserAction extends Controller
$success = $this->userRepository->create($user); $success = $this->userRepository->create($user);
if ($success) { if ($success) {
$this->session->delete("form_key");
return $this->render('user/success.twig'); return $this->render('user/success.twig');
} else { } else {
$this->session $this->session

21
app/src/Middleware/FormKeyMiddleware.php
View File

@ -3,6 +3,7 @@
namespace Slovocast\Middleware; namespace Slovocast\Middleware;
use Odan\Session\SessionInterface; use Odan\Session\SessionInterface;
use Psr\Http\Message\ResponseFactoryInterface;
use Psr\Http\Server\MiddlewareInterface; use Psr\Http\Server\MiddlewareInterface;
use Psr\Http\Server\RequestHandlerInterface as RequestHandler; use Psr\Http\Server\RequestHandlerInterface as RequestHandler;
use Psr\Http\Message\ServerRequestInterface as Request; use Psr\Http\Message\ServerRequestInterface as Request;
@ -11,15 +12,18 @@ use Ramsey\Uuid\Uuid;
class FormKeyMiddleware implements MiddlewareInterface class FormKeyMiddleware implements MiddlewareInterface
{ {
const FORM_KEY = "form_key";
public function __construct( public function __construct(
private SessionInterface $session private SessionInterface $session,
private ResponseFactoryInterface $responseFactory
) { } ) { }
public function process(Request $request, RequestHandler $handler): Response public function process(Request $request, RequestHandler $handler): Response
{ {
if (!$this->session->has("form_key")) { if (!$this->session->has(self::FORM_KEY)) {
$uuid = Uuid::uuid4(); $uuid = Uuid::uuid4();
$this->session->set("form_key", $uuid->toString()); $this->session->set(self::FORM_KEY, $uuid->toString());
} }
// check if the reuquest is a POST // check if the reuquest is a POST
@ -27,14 +31,17 @@ class FormKeyMiddleware implements MiddlewareInterface
// return a 403 if the form key does not match // return a 403 if the form key does not match
if ($request->getMethod() === "POST") { if ($request->getMethod() === "POST") {
$parsedBody = $request->getParsedBody(); $parsedBody = $request->getParsedBody();
$sessionFormKey = $this->session->get('form_key'); $sessionFormKey = $this->session->get(self::FORM_KEY);
if (isset($parsedBody['form_key'])) { if (isset($parsedBody[self::FORM_KEY])) {
if ($parsedBody['form_key'] === $sessionFormKey) { if ($parsedBody[self::FORM_KEY] === $sessionFormKey) {
$this->session->delete('form_key'); $this->session->delete(self::FORM_KEY);
return $handler->handle($request); return $handler->handle($request);
} }
} }
$response = $this->responseFactory->createResponse(403, "Invalid Form Key");
return $response;
} }
return $handler->handle($request); return $handler->handle($request);

3
app/src/Routes.php
View File

@ -11,6 +11,7 @@ use Slovocast\Controller\User\RegisterUserAction;
use Slovocast\Controller\User\LoginUserPage; use Slovocast\Controller\User\LoginUserPage;
use Slovocast\Controller\User\LoginUserAction; use Slovocast\Controller\User\LoginUserAction;
use Slovocast\Controller\User\LogoutUserAction; use Slovocast\Controller\User\LogoutUserAction;
use Slovocast\Middleware\FormKeyMiddleware;
use Slovocast\Middleware\VerifyPasswordMiddleware; use Slovocast\Middleware\VerifyPasswordMiddleware;
use Slovocast\Middleware\AuthenticatedMiddleware; use Slovocast\Middleware\AuthenticatedMiddleware;
@ -35,8 +36,10 @@ class Routes
protected static function users(App $app): void protected static function users(App $app): void
{ {
$app->get('/register', RegisterUserPage::class) $app->get('/register', RegisterUserPage::class)
->add(FormKeyMiddleware::class)
->setName('user-register-page'); ->setName('user-register-page');
$app->post('/register', RegisterUserAction::class) $app->post('/register', RegisterUserAction::class)
->add(FormKeyMiddleware::class)
->add(VerifyPasswordMiddleware::class) ->add(VerifyPasswordMiddleware::class)
->setName('user-register-action'); ->setName('user-register-action');