mirror/php-flarum
1
0
Fork 0
mirror of https://github.com/flarum/core.git synced 2025-07-26 11:10:41 +02:00
Code Issues Releases Wiki Activity

Rework sessions, remember cookies, and auth again

Browse Source 
- Use Symfony's Session component to work with sessions, instead of a custom database model. Separate the concept of access tokens from sessions once again.
- Extract common session/remember cookie logic into SessionAuthenticator and Rememberer classes.
- Extract AuthenticateUserTrait into a new AuthenticationResponseFactory class.
- Fix forgot password process.
This commit is contained in:
Toby Zerner
2015-12-05 15:11:25 +10:30
parent 3f8cdd1e7e
commit cda00550aa
34 changed files with 596 additions and 502 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
framework/core/src/Http/AbstractServer.php
View File

@@ -21,6 +21,8 @@ abstract class AbstractServer extends BaseAbstractServer
{
$app = $this->getApp();
$this->collectGarbage($app);
$server = Server::createServer(
$this->getMiddleware($app),
$_SERVER,
@@ -38,4 +40,16 @@ abstract class AbstractServer extends BaseAbstractServer
* @return MiddlewareInterface
*/
abstract protected function getMiddleware(Application $app);
private function collectGarbage()
{
if ($this->hitsLottery()) {
AccessToken::whereRaw('last_activity <= ? - lifetime', [time()])->delete();
}
}
private function hitsLottery()
{
return mt_rand(1, 100) <= 2;
}
}

71
framework/core/src/Http/AccessToken.php Normal file
View File

@@ -0,0 +1,71 @@
<?php
/*
* This file is part of Flarum.
*
* (c) Toby Zerner <toby.zerner@gmail.com>
*
* For the full copyright and license information, please view the LICENSE
* file that was distributed with this source code.
*/
namespace Flarum\Http;
use Flarum\Database\AbstractModel;
/**
* @property string $id
* @property int $user_id
* @property int $last_activity
* @property int $lifetime
* @property \Flarum\Core\User|null $user
*/
class AccessToken extends AbstractModel
{
/**
* {@inheritdoc}
*/
protected $table = 'access_tokens';
/**
* Use a custom primary key for this model.
*
* @var bool
*/
public $incrementing = false;
/**
* Generate an access token for the specified user.
*
* @param int $userId
* @param int $lifetime
* @return static
*/
public static function generate($userId, $lifetime = 3600)
{
$token = new static;
$token->id = str_random(40);
$token->user_id = $userId;
$token->last_activity = time();
$token->lifetime = $lifetime;
return $token;
}
public function touch()
{
$this->last_activity = time();
return $this->save();
}
/**
* Define the relationship with the owner of this access token.
*
* @return \Illuminate\Database\Eloquent\Relations\BelongsTo
*/
public function user()
{
return $this->belongsTo('Flarum\Core\User');
}
}

2
framework/core/src/Http/Controller/ClientView.php
View File

@@ -343,7 +343,7 @@ class ClientView implements Renderable
return [
'userId' => $this->actor->id,
'csrfToken' => $session->csrf_token
'csrfToken' => $session->get('csrf_token')
];
}
}

52
framework/core/src/Http/Middleware/AuthenticateWithCookie.php
View File

@@ -1,52 +0,0 @@
<?php
/*
* This file is part of Flarum.
*
* (c) Toby Zerner <toby.zerner@gmail.com>
*
* For the full copyright and license information, please view the LICENSE
* file that was distributed with this source code.
*/
namespace Flarum\Http\Middleware;
use Flarum\Http\Exception\TokenMismatchException;
use Flarum\Http\Session;
use Psr\Http\Message\ResponseInterface as Response;
use Psr\Http\Message\ServerRequestInterface as Request;
use Zend\Stratigility\MiddlewareInterface;
class AuthenticateWithCookie implements MiddlewareInterface
{
/**
* {@inheritdoc}
*/
public function __invoke(Request $request, Response $response, callable $out = null)
{
$id = array_get($request->getCookieParams(), 'flarum_session');
if ($id) {
$session = Session::find($id);
$request = $request->withAttribute('session', $session);
if (! $this->isReading($request) && ! $this->tokensMatch($request)) {
throw new TokenMismatchException;
}
}
return $out ? $out($request, $response) : $response;
}
private function isReading(Request $request)
{
return in_array($request->getMethod(), ['HEAD', 'GET', 'OPTIONS']);
}
private function tokensMatch(Request $request)
{
$input = $request->getHeaderLine('X-CSRF-Token') ?: array_get($request->getParsedBody(), 'token');
return $request->getAttribute('session')->csrf_token === $input;
}
}

16
framework/core/src/Http/Middleware/AuthenticateWithHeader.php
View File

@@ -12,7 +12,7 @@ namespace Flarum\Http\Middleware;
use Flarum\Api\ApiKey;
use Flarum\Core\User;
use Flarum\Http\Session;
use Flarum\Http\AccessToken;
use Psr\Http\Message\ResponseInterface as Response;
use Psr\Http\Message\ServerRequestInterface as Request;
use Zend\Stratigility\MiddlewareInterface;
@@ -37,13 +37,15 @@ class AuthenticateWithHeader implements MiddlewareInterface
$id = substr($parts[0], strlen($this->prefix));
if (isset($parts[1]) && ApiKey::valid($id)) {
if ($actor = $this->getUser($parts[1])) {
$request = $request->withAttribute('actor', $actor);
}
} else {
$session = Session::find($id);
$actor = $this->getUser($parts[1]);
} elseif ($token = AccessToken::find($id)) {
$token->touch();
$request = $request->withAttribute('session', $session);
$actor = $token->user;
}
if (isset($actor)) {
$request = $request->withAttribute('actor', $actor);
}
}

46
framework/core/src/Http/Middleware/AuthenticateWithSession.php Normal file
View File

@@ -0,0 +1,46 @@
<?php
/*
* This file is part of Flarum.
*
* (c) Toby Zerner <toby.zerner@gmail.com>
*
* For the full copyright and license information, please view the LICENSE
* file that was distributed with this source code.
*/
namespace Flarum\Http\Middleware;
use Flarum\Core\Guest;
use Flarum\Core\User;
use Psr\Http\Message\ResponseInterface as Response;
use Psr\Http\Message\ServerRequestInterface as Request;
use Symfony\Component\HttpFoundation\Session\SessionInterface;
use Zend\Stratigility\MiddlewareInterface;
class AuthenticateWithSession implements MiddlewareInterface
{
/**
* {@inheritdoc}
*/
public function __invoke(Request $request, Response $response, callable $out = null)
{
$session = $request->getAttribute('session');
$actor = $this->getActor($session);
$request = $request->withAttribute('actor', $actor);
return $out ? $out($request, $response) : $response;;
}
private function getActor(SessionInterface $session)
{
$actor = User::find($session->get('user_id')) ?: new Guest;
if ($actor->exists) {
$actor->updateLastSeen()->save();
}
return $actor;
}
}

40
framework/core/src/Http/Middleware/RememberFromCookie.php Normal file
View File

@@ -0,0 +1,40 @@
<?php
/*
* This file is part of Flarum.
*
* (c) Toby Zerner <toby.zerner@gmail.com>
*
* For the full copyright and license information, please view the LICENSE
* file that was distributed with this source code.
*/
namespace Flarum\Http\Middleware;
use Flarum\Http\AccessToken;
use Psr\Http\Message\ResponseInterface as Response;
use Psr\Http\Message\ServerRequestInterface as Request;
use Zend\Stratigility\MiddlewareInterface;
class RememberFromCookie implements MiddlewareInterface
{
/**
* {@inheritdoc}
*/
public function __invoke(Request $request, Response $response, callable $out = null)
{
$id = array_get($request->getCookieParams(), 'flarum_remember');
if ($id) {
$token = AccessToken::find($id);
if ($token) {
$token->touch();
$session = $request->getAttribute('session');
$session->set('user_id', $token->user_id);
}
}
return $out ? $out($request, $response) : $response;
}
}

71
framework/core/src/Http/Middleware/StartSession.php
View File

@@ -10,72 +10,57 @@
namespace Flarum\Http\Middleware;
use Dflydev\FigCookies\Cookie;
use Dflydev\FigCookies\FigResponseCookies;
use Dflydev\FigCookies\SetCookie;
use Dflydev\FigCookies\SetCookies;
use Flarum\Http\Session;
use Flarum\Core\Guest;
use Flarum\Http\WriteSessionCookieTrait;
use Illuminate\Support\Str;
use Psr\Http\Message\ResponseInterface as Response;
use Psr\Http\Message\ServerRequestInterface as Request;
use Symfony\Component\HttpFoundation\Session\Session;
use Symfony\Component\HttpFoundation\Session\SessionInterface;
use Zend\Stratigility\MiddlewareInterface;
class StartSession implements MiddlewareInterface
{
use WriteSessionCookieTrait;
/**
* {@inheritdoc}
*/
public function __invoke(Request $request, Response $response, callable $out = null)
{
$this->collectGarbage();
$session = $this->startSession();
$session = $this->getSession($request);
$actor = $this->getActor($session);
$request = $request
->withAttribute('session', $session)
->withAttribute('actor', $actor);
$request = $request->withAttribute('session', $session);
$response = $out ? $out($request, $response) : $response;
return $this->addSessionCookieToResponse($response, $session, 'flarum_session');
}
private function getSession(Request $request)
{
$session = $request->getAttribute('session');
if (! $session) {
$session = Session::generate();
if ($session->has('csrf_token')) {
$response = $response->withHeader('X-CSRF-Token', $session->get('csrf_token'));
}
$session->extend()->save();
return $this->withSessionCookie($response, $session);
}
private function startSession()
{
$session = new Session;
$session->setName('flarum_session');
$session->start();
if (! $session->has('csrf_token')) {
$session->set('csrf_token', Str::random(40));
}
return $session;
}
private function getActor(Session $session)
private function withSessionCookie(Response $response, SessionInterface $session)
{
$actor = $session->user ?: new Guest;
if ($actor->exists) {
$actor->updateLastSeen()->save();
}
return $actor;
}
private function collectGarbage()
{
if ($this->hitsLottery()) {
Session::whereRaw('last_activity <= ? - duration * 60', [time()])->delete();
}
}
private function hitsLottery()
{
return mt_rand(1, 100) <= 1;
return FigResponseCookies::set(
$response,
SetCookie::create($session->getName(), $session->getId())
->withPath('/')
->withHttpOnly(true)
);
}
}

54
framework/core/src/Http/Rememberer.php Normal file
View File

@@ -0,0 +1,54 @@
<?php
/*
* This file is part of Flarum.
*
* (c) Toby Zerner <toby.zerner@gmail.com>
*
* For the full copyright and license information, please view the LICENSE
* file that was distributed with this source code.
*/
namespace Flarum\Http;
use Dflydev\FigCookies\FigResponseCookies;
use Dflydev\FigCookies\SetCookie;
use Psr\Http\Message\ResponseInterface;
class Rememberer
{
protected $cookieName = 'flarum_remember';
public function remember(ResponseInterface $response, $token)
{
return FigResponseCookies::set(
$response,
$this->createCookie()
->withValue($token)
->withMaxAge(14 * 24 * 60 * 60)
);
}
public function rememberUser(ResponseInterface $response, $userId)
{
$token = AccessToken::generate($userId);
$token->lifetime = 60 * 60 * 24 * 14;
$token->save();
return $this->remember($response, $token->id);
}
public function forget(ResponseInterface $response)
{
return FigResponseCookies::set(
$response,
$this->createCookie()->withMaxAge(-2628000)
);
}
private function createCookie()
{
return SetCookie::create($this->cookieName)
->withPath('/')
->withHttpOnly(true);
}
}

140
framework/core/src/Http/Session.php
View File

@@ -1,140 +0,0 @@
<?php
/*
* This file is part of Flarum.
*
* (c) Toby Zerner <toby.zerner@gmail.com>
*
* For the full copyright and license information, please view the LICENSE
* file that was distributed with this source code.
*/
namespace Flarum\Http;
use DateTime;
use Flarum\Core\User;
use Flarum\Database\AbstractModel;
use Illuminate\Support\Str;
/**
* @property string $id
* @property int $user_id
* @property int $last_activity
* @property int $duration
* @property \Carbon\Carbon $sudo_expiry_time
* @property string $csrf_token
* @property \Flarum\Core\User|null $user
*/
class Session extends AbstractModel
{
/**
* {@inheritdoc}
*/
protected $table = 'sessions';
/**
* Use a custom primary key for this model.
*
* @var bool
*/
public $incrementing = false;
/**
* {@inheritdoc}
*/
protected $dates = ['sudo_expiry_time'];
/**
* Generate a session.
*
* @param User|null $user
* @param int $duration How long before the session will expire, in minutes.
* @return static
*/
public static function generate(User $user = null, $duration = 60)
{
$session = new static;
$session->assign($user)
->regenerateId()
->renew()
->setDuration($duration);
return $session->extend();
}
/**
* Assign the session to a user.
*
* @param User|null $user
* @return $this
*/
public function assign(User $user = null)
{
$this->user_id = $user ? $user->id : null;
return $this;
}
/**
* Regenerate the session ID.
*
* @return $this
*/
public function regenerateId()
{
$this->id = sha1(uniqid('', true).Str::random(25).microtime(true));
$this->csrf_token = Str::random(40);
return $this;
}
/**
* @return $this
*/
public function extend()
{
$this->last_activity = time();
return $this;
}
/**
* @return $this
*/
public function renew()
{
$this->extend();
$this->sudo_expiry_time = time() + 30 * 60;
return $this;
}
/**
* @param int $duration How long before the session will expire, in minutes.
* @return $this
*/
public function setDuration($duration)
{
$this->duration = $duration;
return $this;
}
/**
* @return bool
*/
public function isSudo()
{
return $this->sudo_expiry_time > new DateTime;
}
/**
* Define the relationship with the owner of this access token.
*
* @return \Illuminate\Database\Eloquent\Relations\BelongsTo
*/
public function user()
{
return $this->belongsTo(User::class);
}
}

36
framework/core/src/Http/SessionAuthenticator.php Normal file
View File

@@ -0,0 +1,36 @@
<?php
/*
* This file is part of Flarum.
*
* (c) Toby Zerner <toby.zerner@gmail.com>
*
* For the full copyright and license information, please view the LICENSE
* file that was distributed with this source code.
*/
namespace Flarum\Http;
use DateTime;
use Symfony\Component\HttpFoundation\Session\SessionInterface;
class SessionAuthenticator
{
/**
* @param SessionInterface $session
* @param int $userId
*/
public function logIn(SessionInterface $session, $userId)
{
$session->migrate();
$session->set('user_id', $userId);
$session->set('sudo_expiry', new DateTime('+30 minutes'));
}
/**
* @param SessionInterface $session
*/
public function logOut(SessionInterface $session)
{
$session->invalidate();
}
}

29
framework/core/src/Http/WriteSessionCookieTrait.php
View File

@@ -1,29 +0,0 @@
<?php
/*
* This file is part of Flarum.
*
* (c) Toby Zerner <toby.zerner@gmail.com>
*
* For the full copyright and license information, please view the LICENSE
* file that was distributed with this source code.
*/
namespace Flarum\Http;
use Dflydev\FigCookies\FigResponseCookies;
use Dflydev\FigCookies\SetCookie;
use Psr\Http\Message\ResponseInterface as Response;
trait WriteSessionCookieTrait
{
protected function addSessionCookieToResponse(Response $response, Session $session, $cookieName)
{
return FigResponseCookies::set(
$response,
SetCookie::create($cookieName, $session->exists ? $session->id : null)
->withMaxAge($session->exists ? $session->duration * 60 : -2628000)
->withPath('/')
->withHttpOnly(true)
);
}
}