mirror/php-flarum
1
0
Fork 0
mirror of https://github.com/flarum/core.git synced 2025-10-14 16:34:26 +02:00
Code Issues Releases Wiki Activity

Rework sessions, remember cookies, and auth again

Browse Source 
- Use Symfony's Session component to work with sessions, instead of a custom database model. Separate the concept of access tokens from sessions once again.
- Extract common session/remember cookie logic into SessionAuthenticator and Rememberer classes.
- Extract AuthenticateUserTrait into a new AuthenticationResponseFactory class.
- Fix forgot password process.
This commit is contained in:
Toby Zerner
2015-12-05 15:11:25 +10:30
parent 1d9e7b0262
commit 387109002e
34 changed files with 596 additions and 502 deletions
Download Patch File Download Diff File Expand all files Collapse all files

52
src/Http/Middleware/AuthenticateWithCookie.php
View File

@@ -1,52 +0,0 @@
<?php
/*
* This file is part of Flarum.
*
* (c) Toby Zerner <toby.zerner@gmail.com>
*
* For the full copyright and license information, please view the LICENSE
* file that was distributed with this source code.
*/
namespace Flarum\Http\Middleware;
use Flarum\Http\Exception\TokenMismatchException;
use Flarum\Http\Session;
use Psr\Http\Message\ResponseInterface as Response;
use Psr\Http\Message\ServerRequestInterface as Request;
use Zend\Stratigility\MiddlewareInterface;
class AuthenticateWithCookie implements MiddlewareInterface
{
/**
* {@inheritdoc}
*/
public function __invoke(Request $request, Response $response, callable $out = null)
{
$id = array_get($request->getCookieParams(), 'flarum_session');
if ($id) {
$session = Session::find($id);
$request = $request->withAttribute('session', $session);
if (! $this->isReading($request) && ! $this->tokensMatch($request)) {
throw new TokenMismatchException;
}
}
return $out ? $out($request, $response) : $response;
}
private function isReading(Request $request)
{
return in_array($request->getMethod(), ['HEAD', 'GET', 'OPTIONS']);
}
private function tokensMatch(Request $request)
{
$input = $request->getHeaderLine('X-CSRF-Token') ?: array_get($request->getParsedBody(), 'token');
return $request->getAttribute('session')->csrf_token === $input;
}
}

16
src/Http/Middleware/AuthenticateWithHeader.php
View File

@@ -12,7 +12,7 @@ namespace Flarum\Http\Middleware;
use Flarum\Api\ApiKey;
use Flarum\Core\User;
use Flarum\Http\Session;
use Flarum\Http\AccessToken;
use Psr\Http\Message\ResponseInterface as Response;
use Psr\Http\Message\ServerRequestInterface as Request;
use Zend\Stratigility\MiddlewareInterface;
@@ -37,13 +37,15 @@ class AuthenticateWithHeader implements MiddlewareInterface
$id = substr($parts[0], strlen($this->prefix));
if (isset($parts[1]) && ApiKey::valid($id)) {
if ($actor = $this->getUser($parts[1])) {
$request = $request->withAttribute('actor', $actor);
}
} else {
$session = Session::find($id);
$actor = $this->getUser($parts[1]);
} elseif ($token = AccessToken::find($id)) {
$token->touch();
$request = $request->withAttribute('session', $session);
$actor = $token->user;
}
if (isset($actor)) {
$request = $request->withAttribute('actor', $actor);
}
}

46
src/Http/Middleware/AuthenticateWithSession.php Normal file
View File

@@ -0,0 +1,46 @@
<?php
/*
* This file is part of Flarum.
*
* (c) Toby Zerner <toby.zerner@gmail.com>
*
* For the full copyright and license information, please view the LICENSE
* file that was distributed with this source code.
*/
namespace Flarum\Http\Middleware;
use Flarum\Core\Guest;
use Flarum\Core\User;
use Psr\Http\Message\ResponseInterface as Response;
use Psr\Http\Message\ServerRequestInterface as Request;
use Symfony\Component\HttpFoundation\Session\SessionInterface;
use Zend\Stratigility\MiddlewareInterface;
class AuthenticateWithSession implements MiddlewareInterface
{
/**
* {@inheritdoc}
*/
public function __invoke(Request $request, Response $response, callable $out = null)
{
$session = $request->getAttribute('session');
$actor = $this->getActor($session);
$request = $request->withAttribute('actor', $actor);
return $out ? $out($request, $response) : $response;;
}
private function getActor(SessionInterface $session)
{
$actor = User::find($session->get('user_id')) ?: new Guest;
if ($actor->exists) {
$actor->updateLastSeen()->save();
}
return $actor;
}
}

40
src/Http/Middleware/RememberFromCookie.php Normal file
View File

@@ -0,0 +1,40 @@
<?php
/*
* This file is part of Flarum.
*
* (c) Toby Zerner <toby.zerner@gmail.com>
*
* For the full copyright and license information, please view the LICENSE
* file that was distributed with this source code.
*/
namespace Flarum\Http\Middleware;
use Flarum\Http\AccessToken;
use Psr\Http\Message\ResponseInterface as Response;
use Psr\Http\Message\ServerRequestInterface as Request;
use Zend\Stratigility\MiddlewareInterface;
class RememberFromCookie implements MiddlewareInterface
{
/**
* {@inheritdoc}
*/
public function __invoke(Request $request, Response $response, callable $out = null)
{
$id = array_get($request->getCookieParams(), 'flarum_remember');
if ($id) {
$token = AccessToken::find($id);
if ($token) {
$token->touch();
$session = $request->getAttribute('session');
$session->set('user_id', $token->user_id);
}
}
return $out ? $out($request, $response) : $response;
}
}

71
src/Http/Middleware/StartSession.php
View File

@@ -10,72 +10,57 @@
namespace Flarum\Http\Middleware;
use Dflydev\FigCookies\Cookie;
use Dflydev\FigCookies\FigResponseCookies;
use Dflydev\FigCookies\SetCookie;
use Dflydev\FigCookies\SetCookies;
use Flarum\Http\Session;
use Flarum\Core\Guest;
use Flarum\Http\WriteSessionCookieTrait;
use Illuminate\Support\Str;
use Psr\Http\Message\ResponseInterface as Response;
use Psr\Http\Message\ServerRequestInterface as Request;
use Symfony\Component\HttpFoundation\Session\Session;
use Symfony\Component\HttpFoundation\Session\SessionInterface;
use Zend\Stratigility\MiddlewareInterface;
class StartSession implements MiddlewareInterface
{
use WriteSessionCookieTrait;
/**
* {@inheritdoc}
*/
public function __invoke(Request $request, Response $response, callable $out = null)
{
$this->collectGarbage();
$session = $this->startSession();
$session = $this->getSession($request);
$actor = $this->getActor($session);
$request = $request
->withAttribute('session', $session)
->withAttribute('actor', $actor);
$request = $request->withAttribute('session', $session);
$response = $out ? $out($request, $response) : $response;
return $this->addSessionCookieToResponse($response, $session, 'flarum_session');
}
private function getSession(Request $request)
{
$session = $request->getAttribute('session');
if (! $session) {
$session = Session::generate();
if ($session->has('csrf_token')) {
$response = $response->withHeader('X-CSRF-Token', $session->get('csrf_token'));
}
$session->extend()->save();
return $this->withSessionCookie($response, $session);
}
private function startSession()
{
$session = new Session;
$session->setName('flarum_session');
$session->start();
if (! $session->has('csrf_token')) {
$session->set('csrf_token', Str::random(40));
}
return $session;
}
private function getActor(Session $session)
private function withSessionCookie(Response $response, SessionInterface $session)
{
$actor = $session->user ?: new Guest;
if ($actor->exists) {
$actor->updateLastSeen()->save();
}
return $actor;
}
private function collectGarbage()
{
if ($this->hitsLottery()) {
Session::whereRaw('last_activity <= ? - duration * 60', [time()])->delete();
}
}
private function hitsLottery()
{
return mt_rand(1, 100) <= 1;
return FigResponseCookies::set(
$response,
SetCookie::create($session->getName(), $session->getId())
->withPath('/')
->withHttpOnly(true)
);
}
}