mirror/php-flarum
1
0
Fork 0
mirror of https://github.com/flarum/core.git synced 2025-07-18 15:21:16 +02:00
Code Issues Releases Wiki Activity

Rework sessions, remember cookies, and auth again

Browse Source 
- Use Symfony's Session component to work with sessions, instead of a custom database model. Separate the concept of access tokens from sessions once again.
- Extract common session/remember cookie logic into SessionAuthenticator and Rememberer classes.
- Extract AuthenticateUserTrait into a new AuthenticationResponseFactory class.
- Fix forgot password process.
This commit is contained in:
Toby Zerner
2015-12-05 15:11:25 +10:30
parent 3f8cdd1e7e
commit cda00550aa
34 changed files with 596 additions and 502 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
framework/core/composer.json
View File

@@ -45,6 +45,7 @@
"nikic/fast-route": "^0.6",
"dflydev/fig-cookies": "^1.0",
"symfony/console": "^2.7",
"symfony/http-foundation": "^2.7",
"symfony/yaml": "^2.7",
"symfony/translation": "^2.7",
"doctrine/dbal": "^2.5",

32
framework/core/migrations/2015_12_03_010529_drop_access_tokens_table.php
View File

@@ -1,32 +0,0 @@
<?php
/*
* This file is part of Flarum.
*
* (c) Toby Zerner <toby.zerner@gmail.com>
*
* For the full copyright and license information, please view the LICENSE
* file that was distributed with this source code.
*/
namespace Flarum\Core\Migration;
use Flarum\Database\AbstractMigration;
use Illuminate\Database\Schema\Blueprint;
class DropAccessTokensTable extends AbstractMigration
{
public function up()
{
$this->schema->drop('access_tokens');
}
public function down()
{
$this->schema->create('access_tokens', function (Blueprint $table) {
$table->string('id', 100)->primary();
$table->integer('user_id')->unsigned();
$table->timestamp('created_at');
$table->timestamp('expires_at');
});
}
}

34
framework/core/migrations/2015_12_03_010610_create_sessions_table.php
View File

@@ -1,34 +0,0 @@
<?php
/*
* This file is part of Flarum.
*
* (c) Toby Zerner <toby.zerner@gmail.com>
*
* For the full copyright and license information, please view the LICENSE
* file that was distributed with this source code.
*/
namespace Flarum\Core\Migration;
use Flarum\Database\AbstractMigration;
use Illuminate\Database\Schema\Blueprint;
class CreateSessionsTable extends AbstractMigration
{
public function up()
{
$this->schema->create('sessions', function (Blueprint $table) {
$table->string('id', 40)->primary();
$table->integer('user_id')->unsigned()->nullable();
$table->string('csrf_token', 40);
$table->integer('last_activity');
$table->integer('duration');
$table->dateTime('sudo_expiry_time');
});
}
public function down()
{
$this->schema->drop('sessions');
}
}

31
framework/core/migrations/2015_12_05_042721_change_access_tokens_columns.php Normal file
View File

@@ -0,0 +1,31 @@
<?php
namespace Flarum\Core\Migration;
use Flarum\Database\AbstractMigration;
use Illuminate\Database\Schema\Blueprint;
class ChangeAccessTokensColumns extends AbstractMigration
{
public function up()
{
$this->schema->table('access_tokens', function (Blueprint $table) {
$table->string('id', 40)->change();
$table->dropColumn('created_at');
$table->dropColumn('expires_at');
$table->integer('last_activity');
$table->integer('lifetime');
});
}
public function down()
{
$this->schema->table('access_tokens', function (Blueprint $table) {
$table->string('id', 100)->change();
$table->dropColumn('last_activity');
$table->dropColumn('lifetime');
$table->timestamp('created_at');
$table->timestamp('expires_at');
});
}
}

3
framework/core/src/Admin/Server.php
View File

@@ -32,8 +32,9 @@ class Server extends AbstractServer
if ($app->isUpToDate()) {
$pipe->pipe($adminPath, $app->make('Flarum\Http\Middleware\ParseJsonBody'));
$pipe->pipe($adminPath, $app->make('Flarum\Http\Middleware\AuthenticateWithCookie'));
$pipe->pipe($adminPath, $app->make('Flarum\Http\Middleware\StartSession'));
$pipe->pipe($adminPath, $app->make('Flarum\Http\Middleware\RememberFromCookie'));
$pipe->pipe($adminPath, $app->make('Flarum\Http\Middleware\AuthenticateWithSession'));
$pipe->pipe($adminPath, $app->make('Flarum\Http\Middleware\SetLocale'));
$pipe->pipe($adminPath, $app->make('Flarum\Admin\Middleware\RequireAdministrateAbility'));
$pipe->pipe($adminPath, $app->make('Flarum\Http\Middleware\DispatchRoute', ['routes' => $app->make('flarum.admin.routes')]));

13
framework/core/src/Api/Client.php
View File

@@ -12,7 +12,7 @@ namespace Flarum\Api;
use Flarum\Http\Controller\ControllerInterface;
use Flarum\Core\User;
use Flarum\Http\Session;
use Flarum\Http\AccessToken;
use Illuminate\Contracts\Container\Container;
use Exception;
use InvalidArgumentException;
@@ -44,22 +44,15 @@ class Client
* Execute the given API action class, pass the input and return its response.
*
* @param string|ControllerInterface $controller
* @param Session|User|null $session
* @param User|null $actor
* @param array $queryParams
* @param array $body
* @return \Psr\Http\Message\ResponseInterface
*/
public function send($controller, $session, array $queryParams = [], array $body = [])
public function send($controller, $actor, array $queryParams = [], array $body = [])
{
$request = ServerRequestFactory::fromGlobals(null, $queryParams, $body);
if ($session instanceof Session) {
$request = $request->withAttribute('session', $session);
$actor = $session->user;
} else {
$actor = $session;
}
$request = $request->withAttribute('actor', $actor);
if (is_string($controller)) {

11
framework/core/src/Api/Controller/TokenController.php
View File

@@ -13,7 +13,7 @@ namespace Flarum\Api\Controller;
use Flarum\Core\Exception\PermissionDeniedException;
use Flarum\Core\Repository\UserRepository;
use Flarum\Http\Controller\ControllerInterface;
use Flarum\Http\Session;
use Flarum\Http\AccessToken;
use Illuminate\Contracts\Bus\Dispatcher as BusDispatcher;
use Illuminate\Contracts\Events\Dispatcher as EventDispatcher;
use Psr\Http\Message\ServerRequestInterface;
@@ -64,13 +64,12 @@ class TokenController implements ControllerInterface
throw new PermissionDeniedException;
}
$session = $request->getAttribute('session') ?: Session::generate($user);
$session->assign($user)->regenerateId()->renew()->save();
$token = AccessToken::generate($user->id);
$token->save();
return (new JsonResponse([
'token' => $session->id,
'token' => $token->id,
'userId' => $user->id
]))
->withHeader('X-CSRF-Token', $session->csrf_token);
]));
}
}

5
framework/core/src/Api/Server.php
View File

@@ -30,9 +30,10 @@ class Server extends AbstractServer
if ($app->isInstalled() && $app->isUpToDate()) {
$pipe->pipe($apiPath, $app->make('Flarum\Http\Middleware\ParseJsonBody'));
$pipe->pipe($apiPath, $app->make('Flarum\Api\Middleware\FakeHttpMethods'));
$pipe->pipe($apiPath, $app->make('Flarum\Http\Middleware\AuthenticateWithCookie'));
$pipe->pipe($apiPath, $app->make('Flarum\Http\Middleware\AuthenticateWithHeader'));
$pipe->pipe($apiPath, $app->make('Flarum\Http\Middleware\StartSession'));
$pipe->pipe($apiPath, $app->make('Flarum\Http\Middleware\RememberFromCookie'));
$pipe->pipe($apiPath, $app->make('Flarum\Http\Middleware\AuthenticateWithSession'));
$pipe->pipe($apiPath, $app->make('Flarum\Http\Middleware\AuthenticateWithHeader'));
$pipe->pipe($apiPath, $app->make('Flarum\Http\Middleware\SetLocale'));
$pipe->pipe($apiPath, $app->make('Flarum\Http\Middleware\DispatchRoute', ['routes' => $app->make('flarum.api.routes')]));
$pipe->pipe($apiPath, $app->make('Flarum\Api\Middleware\HandleErrors'));

3
framework/core/src/Core/Access/AssertPermissionTrait.php
View File

@@ -10,6 +10,7 @@
namespace Flarum\Core\Access;
use DateTime;
use Flarum\Api\Exception\InvalidAccessTokenException;
use Flarum\Core\Exception\PermissionDeniedException;
use Flarum\Core\User;
@@ -74,7 +75,7 @@ trait AssertPermissionTrait
{
$session = $request->getAttribute('session');
if (! $session || ! $session->isSudo()) {
if (! $session || $session->get('sudo_expiry') < new DateTime) {
throw new InvalidAccessTokenException;
}
}

9
framework/core/src/Core/User.php
View File

@@ -31,7 +31,6 @@ use Flarum\Event\UserEmailChangeWasRequested;
use Flarum\Event\PrepareUserGroups;
use Flarum\Core\Support\ScopeVisibilityTrait;
use Flarum\Core\Support\EventGeneratorTrait;
use Flarum\Core\Exception\ValidationException;
/**
* @property int $id
@@ -135,7 +134,7 @@ class User extends AbstractModel
$user->read()->detach();
$user->groups()->detach();
$user->sessions()->delete();
$user->accessTokens()->delete();
$user->notifications()->delete();
});
@@ -654,13 +653,13 @@ class User extends AbstractModel
}
/**
* Define the relationship with the user's sessions.
* Define the relationship with the user's access tokens.
*
* @return \Illuminate\Database\Eloquent\Relations\HasMany
*/
public function sessions()
public function accessTokens()
{
return $this->hasMany('Flarum\Http\Session');
return $this->hasMany('Flarum\Http\AccessToken');
}
/**

8
framework/core/src/Event/UserLoggedIn.php
View File

@@ -11,17 +11,17 @@
namespace Flarum\Event;
use Flarum\Core\User;
use Flarum\Http\Session;
use Flarum\Http\AccessToken;
class UserLoggedIn
{
public $user;
public $session;
public $token;
public function __construct(User $user, Session $session)
public function __construct(User $user, AccessToken $token)
{
$this->user = $user;
$this->session = $session;
$this->token = $token;
}
}

113
framework/core/src/Forum/AuthenticationResponseFactory.php Normal file
View File

@@ -0,0 +1,113 @@
<?php
/*
* This file is part of Flarum.
*
* (c) Toby Zerner <toby.zerner@gmail.com>
*
* For the full copyright and license information, please view the LICENSE
* file that was distributed with this source code.
*/
namespace Flarum\Forum;
use Flarum\Core\AuthToken;
use Flarum\Core\User;
use Flarum\Http\AccessToken;
use Flarum\Http\Rememberer;
use Flarum\Http\SessionAuthenticator;
use Psr\Http\Message\ServerRequestInterface as Request;
use Zend\Diactoros\Response\HtmlResponse;
class AuthenticationResponseFactory
{
/**
* @var SessionAuthenticator
*/
protected $authenticator;
/**
* @var Rememberer
*/
protected $rememberer;
/**
* AuthenticationResponseFactory constructor.
* @param SessionAuthenticator $authenticator
* @param Rememberer $rememberer
*/
public function __construct(SessionAuthenticator $authenticator, Rememberer $rememberer)
{
$this->authenticator = $authenticator;
$this->rememberer = $rememberer;
}
public function make(Request $request, array $identification, array $suggestions = [])
{
if (isset($suggestions['username'])) {
$suggestions['username'] = $this->sanitizeUsername($suggestions['username']);
}
$user = User::where($identification)->first();
$payload = $this->getPayload($identification, $suggestions, $user);
$response = $this->getResponse($payload);
if ($user) {
$session = $request->getAttribute('session');
$this->authenticator->logIn($session, $user->id);
$response = $this->rememberer->rememberUser($response, $user->id);
}
return $response;
}
/**
* @param string $username
* @return string
*/
private function sanitizeUsername($username)
{
return preg_replace('/[^a-z0-9-_]/i', '', $username);
}
/**
* @param array $payload
* @return HtmlResponse
*/
private function getResponse(array $payload)
{
$content = sprintf(
'<script>window.opener.app.authenticationComplete(%s); window.close();</script>',
json_encode($payload)
);
return new HtmlResponse($content);
}
/**
* @param array $identification
* @param array $suggestions
* @param User|null $user
* @return array
*/
private function getPayload(array $identification, array $suggestions, User $user = null)
{
// If a user with these attributes already exists, then we will log them
// in by generating an access token. Otherwise, we will generate a
// unique token for these attributes and add it to the response, along
// with the suggested account information.
if ($user) {
$payload = ['authenticated' => true];
} else {
$token = AuthToken::generate($identification);
$token->save();
$payload = array_merge($identification, $suggestions, ['token' => $token->id]);
}
return $payload;
}
}

76
framework/core/src/Forum/Controller/AuthenticateUserTrait.php
View File

@@ -1,76 +0,0 @@
<?php
/*
* This file is part of Flarum.
*
* (c) Toby Zerner <toby.zerner@gmail.com>
*
* For the full copyright and license information, please view the LICENSE
* file that was distributed with this source code.
*/
namespace Flarum\Forum\Controller;
use Flarum\Core\User;
use Zend\Diactoros\Response\HtmlResponse;
use Flarum\Core\AuthToken;
use Psr\Http\Message\ServerRequestInterface as Request;
trait AuthenticateUserTrait
{
/**
* @var \Illuminate\Contracts\Bus\Dispatcher
*/
protected $bus;
/**
* Respond with JavaScript to inform the Flarum app about the user's
* authentication status.
*
* An array of identification attributes must be passed as the first
* argument. These are checked against existing user accounts; if a match is
* found, then the user is authenticated and logged into that account via
* cookie. The Flarum app will then simply refresh the page.
*
* If no matching account is found, then an AuthToken will be generated to
* store the identification attributes. This token, along with an optional
* array of suggestions, will be passed into the Flarum app's sign up modal.
* This results in the user not having to choose a password. When they
* complete their registration, the identification attributes will be
* set on their new user account.
*
* @param array $identification
* @param array $suggestions
* @return HtmlResponse
*/
protected function authenticate(Request $request, array $identification, array $suggestions = [])
{
$user = User::where($identification)->first();
// If a user with these attributes already exists, then we will log them
// in by generating an access token. Otherwise, we will generate a
// unique token for these attributes and add it to the response, along
// with the suggested account information.
if ($user) {
$payload = ['authenticated' => true];
} else {
$token = AuthToken::generate($identification);
$token->save();
$payload = array_merge($identification, $suggestions, ['token' => $token->id]);
}
$content = sprintf(
'<script>window.opener.app.authenticationComplete(%s); window.close();</script>',
json_encode($payload)
);
$response = new HtmlResponse($content);
if ($user) {
$session = $request->getAttribute('session');
$session->assign($user)->regenerateId()->renew()->setDuration(60 * 24 * 14)->save();
}
return $response;
}
}

12
framework/core/src/Forum/Controller/ConfirmEmailController.php
View File

@@ -14,6 +14,7 @@ use Flarum\Core\Command\ConfirmEmail;
use Flarum\Core\Exception\InvalidConfirmationTokenException;
use Flarum\Foundation\Application;
use Flarum\Http\Controller\ControllerInterface;
use Flarum\Http\SessionAuthenticator;
use Illuminate\Contracts\Bus\Dispatcher;
use Psr\Http\Message\ServerRequestInterface as Request;
use Zend\Diactoros\Response\HtmlResponse;
@@ -31,14 +32,21 @@ class ConfirmEmailController implements ControllerInterface
*/
protected $app;
/**
* @var SessionAuthenticator
*/
protected $authenticator;
/**
* @param Dispatcher $bus
* @param Application $app
* @param SessionAuthenticator $authenticator
*/
public function __construct(Dispatcher $bus, Application $app)
public function __construct(Dispatcher $bus, Application $app, SessionAuthenticator $authenticator)
{
$this->bus = $bus;
$this->app = $app;
$this->authenticator = $authenticator;
}
/**
@@ -58,7 +66,7 @@ class ConfirmEmailController implements ControllerInterface
}
$session = $request->getAttribute('session');
$session->assign($user)->regenerateId()->renew()->setDuration(60 * 24 * 14)->save();
$this->authenticator->logIn($session, $user->id);
return new RedirectResponse($this->app->url());
}

39
framework/core/src/Forum/Controller/LogInController.php
View File

@@ -11,10 +11,13 @@
namespace Flarum\Forum\Controller;
use Flarum\Api\Client;
use Flarum\Http\Session;
use Flarum\Api\Controller\TokenController;
use Flarum\Http\AccessToken;
use Flarum\Event\UserLoggedIn;
use Flarum\Core\Repository\UserRepository;
use Flarum\Http\Controller\ControllerInterface;
use Flarum\Http\Rememberer;
use Flarum\Http\SessionAuthenticator;
use Psr\Http\Message\ServerRequestInterface as Request;
use Zend\Diactoros\Response\EmptyResponse;
use Zend\Diactoros\Response\JsonResponse;
@@ -31,36 +34,52 @@ class LogInController implements ControllerInterface
*/
protected $apiClient;
/**
* @var SessionAuthenticator
*/
protected $authenticator;
/**
* @var Rememberer
*/
protected $rememberer;
/**
* @param \Flarum\Core\Repository\UserRepository $users
* @param Client $apiClient
* @param SessionAuthenticator $authenticator
* @param Rememberer $rememberer
*/
public function __construct(UserRepository $users, Client $apiClient)
public function __construct(UserRepository $users, Client $apiClient, SessionAuthenticator $authenticator, Rememberer $rememberer)
{
$this->users = $users;
$this->apiClient = $apiClient;
$this->authenticator = $authenticator;
$this->rememberer = $rememberer;
}
/**
* @param Request $request
* @param array $routeParams
* @return JsonResponse|EmptyResponse
*/
public function handle(Request $request, array $routeParams = [])
public function handle(Request $request)
{
$controller = 'Flarum\Api\Controller\TokenController';
$session = $request->getAttribute('session');
$actor = $request->getAttribute('actor');
$params = array_only($request->getParsedBody(), ['identification', 'password']);
$response = $this->apiClient->send($controller, $session, [], $params);
$response = $this->apiClient->send(TokenController::class, $actor, [], $params);
if ($response->getStatusCode() === 200) {
$data = json_decode($response->getBody());
$session = Session::find($data->token);
$session->setDuration(60 * 24 * 14)->save();
$session = $request->getAttribute('session');
$this->authenticator->logIn($session, $data->userId);
event(new UserLoggedIn($this->users->findOrFail($data->userId), $session));
$token = AccessToken::find($data->token);
event(new UserLoggedIn($this->users->findOrFail($data->userId), $token));
$response = $this->rememberer->remember($response, $token->id);
}
return $response;

36
framework/core/src/Forum/Controller/LogOutController.php
View File

@@ -10,10 +10,13 @@
namespace Flarum\Forum\Controller;
use Flarum\Core\User;
use Flarum\Event\UserLoggedOut;
use Flarum\Foundation\Application;
use Flarum\Http\Controller\ControllerInterface;
use Flarum\Http\Exception\TokenMismatchException;
use Flarum\Http\Rememberer;
use Flarum\Http\SessionAuthenticator;
use Illuminate\Contracts\Events\Dispatcher;
use Psr\Http\Message\ServerRequestInterface as Request;
use Zend\Diactoros\Response\RedirectResponse;
@@ -30,38 +33,55 @@ class LogOutController implements ControllerInterface
*/
protected $events;
/**
* @var SessionAuthenticator
*/
protected $authenticator;
/**
* @var Rememberer
*/
protected $rememberer;
/**
* @param Application $app
* @param Dispatcher $events
* @param SessionAuthenticator $authenticator
* @param Rememberer $rememberer
*/
public function __construct(Application $app, Dispatcher $events)
public function __construct(Application $app, Dispatcher $events, SessionAuthenticator $authenticator, Rememberer $rememberer)
{
$this->app = $app;
$this->events = $events;
$this->authenticator = $authenticator;
$this->rememberer = $rememberer;
}
/**
* @param Request $request
* @param array $routeParams
* @return \Psr\Http\Message\ResponseInterface
* @throws TokenMismatchException
*/
public function handle(Request $request, array $routeParams = [])
public function handle(Request $request)
{
$session = $request->getAttribute('session');
if ($user = $session->user) {
if (array_get($request->getQueryParams(), 'token') !== $session->csrf_token) {
$response = new RedirectResponse($this->app->url());
if ($user = User::find($session->get('user_id'))) {
if (array_get($request->getQueryParams(), 'token') !== $session->get('csrf_token')) {
throw new TokenMismatchException;
}
$session->exists = false;
$this->authenticator->logOut($session);
$user->sessions()->delete();
$user->accessTokens()->delete();
$this->events->fire(new UserLoggedOut($user));
$response = $this->rememberer->forget($response);
}
return new RedirectResponse($this->app->url());
return $response;
}
}

44
framework/core/src/Forum/Controller/RegisterController.php
View File

@@ -11,42 +11,47 @@
namespace Flarum\Forum\Controller;
use Flarum\Api\Client;
use Flarum\Core\User;
use Flarum\Http\AccessToken;
use Flarum\Http\Controller\ControllerInterface;
use Flarum\Http\Rememberer;
use Flarum\Http\SessionAuthenticator;
use Psr\Http\Message\ServerRequestInterface as Request;
use Zend\Diactoros\Response\EmptyResponse;
use Zend\Diactoros\Response\JsonResponse;
use Illuminate\Contracts\Bus\Dispatcher;
class RegisterController implements ControllerInterface
{
/**
* @var Dispatcher
*/
protected $bus;
/**
* @var Client
*/
protected $api;
/**
* @param Dispatcher $bus
* @param Client $api
* @var SessionAuthenticator
*/
public function __construct(Dispatcher $bus, Client $api)
protected $authenticator;
/**
* @var Rememberer
*/
protected $rememberer;
/**
* @param Client $api
* @param SessionAuthenticator $authenticator
* @param Rememberer $rememberer
*/
public function __construct(Client $api, SessionAuthenticator $authenticator, Rememberer $rememberer)
{
$this->bus = $bus;
$this->api = $api;
$this->authenticator = $authenticator;
$this->rememberer = $rememberer;
}
/**
* @param Request $request
* @param array $routeParams
*
* @return JsonResponse
*/
public function handle(Request $request, array $routeParams = [])
public function handle(Request $request)
{
$controller = 'Flarum\Api\Controller\CreateUserController';
$actor = $request->getAttribute('actor');
@@ -55,15 +60,16 @@ class RegisterController implements ControllerInterface
$response = $this->api->send($controller, $actor, [], $body);
$body = json_decode($response->getBody());
$statusCode = $response->getStatusCode();
if (isset($body->data)) {
$user = User::find($body->data->id);
$userId = $body->data->id;
$session = $request->getAttribute('session');
$session->assign($user)->regenerateId()->renew()->setDuration(60 * 24 * 14)->save();
$this->authenticator->logIn($session, $userId);
$response = $this->rememberer->rememberUser($response, $userId);
}
return new JsonResponse($body, $statusCode);
return $response;
}
}

4
framework/core/src/Forum/Controller/ResetPasswordController.php
View File

@@ -47,6 +47,8 @@ class ResetPasswordController extends AbstractHtmlController
throw new InvalidConfirmationTokenException;
}
return $this->view->make('flarum::reset')->with('token', $token->id);
return $this->view->make('flarum::reset')
->with('passwordToken', $token->id)
->with('csrfToken', $request->getAttribute('session')->get('csrf_token'));
}
}

17
framework/core/src/Forum/Controller/SavePasswordController.php
View File

@@ -14,6 +14,7 @@ use Flarum\Core\PasswordToken;
use Flarum\Core\Command\EditUser;
use Flarum\Forum\UrlGenerator;
use Flarum\Http\Controller\ControllerInterface;
use Flarum\Http\SessionAuthenticator;
use Psr\Http\Message\ServerRequestInterface as Request;
use Zend\Diactoros\Response\RedirectResponse;
@@ -25,11 +26,18 @@ class SavePasswordController implements ControllerInterface
protected $url;
/**
* @param UrlGenerator $url
* @var SessionAuthenticator
*/
public function __construct(UrlGenerator $url)
protected $authenticator;
/**
* @param UrlGenerator $url
* @param SessionAuthenticator $authenticator
*/
public function __construct(UrlGenerator $url, SessionAuthenticator $authenticator)
{
$this->url = $url;
$this->authenticator = $authenticator;
}
/**
@@ -40,7 +48,7 @@ class SavePasswordController implements ControllerInterface
{
$input = $request->getParsedBody();
$token = PasswordToken::findOrFail(array_get($input, 'token'));
$token = PasswordToken::findOrFail(array_get($input, 'passwordToken'));
$password = array_get($input, 'password');
$confirmation = array_get($input, 'password_confirmation');
@@ -54,6 +62,9 @@ class SavePasswordController implements ControllerInterface
$token->delete();
$session = $request->getAttribute('session');
$this->authenticator->logIn($session, $token->user->id);
return new RedirectResponse($this->url->toBase());
}
}

4
framework/core/src/Forum/Server.php
View File

@@ -32,12 +32,14 @@ class Server extends AbstractServer
if (! $app->isInstalled()) {
$app->register('Flarum\Install\InstallServiceProvider');
$pipe->pipe($basePath, $app->make('Flarum\Http\Middleware\StartSession'));
$pipe->pipe($basePath, $app->make('Flarum\Http\Middleware\DispatchRoute', ['routes' => $app->make('flarum.install.routes')]));
$pipe->pipe($basePath, new HandleErrors($errorDir, true));
} elseif ($app->isUpToDate() && ! $app->isDownForMaintenance()) {
$pipe->pipe($basePath, $app->make('Flarum\Http\Middleware\ParseJsonBody'));
$pipe->pipe($basePath, $app->make('Flarum\Http\Middleware\AuthenticateWithCookie'));
$pipe->pipe($basePath, $app->make('Flarum\Http\Middleware\StartSession'));
$pipe->pipe($basePath, $app->make('Flarum\Http\Middleware\RememberFromCookie'));
$pipe->pipe($basePath, $app->make('Flarum\Http\Middleware\AuthenticateWithSession'));
$pipe->pipe($basePath, $app->make('Flarum\Http\Middleware\SetLocale'));
$pipe->pipe($basePath, $app->make('Flarum\Http\Middleware\DispatchRoute', ['routes' => $app->make('flarum.forum.routes')]));
$pipe->pipe($basePath, new HandleErrors($errorDir, $app->inDebugMode()));

14
framework/core/src/Http/AbstractServer.php
View File

@@ -21,6 +21,8 @@ abstract class AbstractServer extends BaseAbstractServer
{
$app = $this->getApp();
$this->collectGarbage($app);
$server = Server::createServer(
$this->getMiddleware($app),
$_SERVER,
@@ -38,4 +40,16 @@ abstract class AbstractServer extends BaseAbstractServer
* @return MiddlewareInterface
*/
abstract protected function getMiddleware(Application $app);
private function collectGarbage()
{
if ($this->hitsLottery()) {
AccessToken::whereRaw('last_activity <= ? - lifetime', [time()])->delete();
}
}
private function hitsLottery()
{
return mt_rand(1, 100) <= 2;
}
}

71
framework/core/src/Http/AccessToken.php Normal file
View File

@@ -0,0 +1,71 @@
<?php
/*
* This file is part of Flarum.
*
* (c) Toby Zerner <toby.zerner@gmail.com>
*
* For the full copyright and license information, please view the LICENSE
* file that was distributed with this source code.
*/
namespace Flarum\Http;
use Flarum\Database\AbstractModel;
/**
* @property string $id
* @property int $user_id
* @property int $last_activity
* @property int $lifetime
* @property \Flarum\Core\User|null $user
*/
class AccessToken extends AbstractModel
{
/**
* {@inheritdoc}
*/
protected $table = 'access_tokens';
/**
* Use a custom primary key for this model.
*
* @var bool
*/
public $incrementing = false;
/**
* Generate an access token for the specified user.
*
* @param int $userId
* @param int $lifetime
* @return static
*/
public static function generate($userId, $lifetime = 3600)
{
$token = new static;
$token->id = str_random(40);
$token->user_id = $userId;
$token->last_activity = time();
$token->lifetime = $lifetime;
return $token;
}
public function touch()
{
$this->last_activity = time();
return $this->save();
}
/**
* Define the relationship with the owner of this access token.
*
* @return \Illuminate\Database\Eloquent\Relations\BelongsTo
*/
public function user()
{
return $this->belongsTo('Flarum\Core\User');
}
}

2
framework/core/src/Http/Controller/ClientView.php
View File

@@ -343,7 +343,7 @@ class ClientView implements Renderable
return [
'userId' => $this->actor->id,
'csrfToken' => $session->csrf_token
'csrfToken' => $session->get('csrf_token')
];
}
}

52
framework/core/src/Http/Middleware/AuthenticateWithCookie.php
View File

@@ -1,52 +0,0 @@
<?php
/*
* This file is part of Flarum.
*
* (c) Toby Zerner <toby.zerner@gmail.com>
*
* For the full copyright and license information, please view the LICENSE
* file that was distributed with this source code.
*/
namespace Flarum\Http\Middleware;
use Flarum\Http\Exception\TokenMismatchException;
use Flarum\Http\Session;
use Psr\Http\Message\ResponseInterface as Response;
use Psr\Http\Message\ServerRequestInterface as Request;
use Zend\Stratigility\MiddlewareInterface;
class AuthenticateWithCookie implements MiddlewareInterface
{
/**
* {@inheritdoc}
*/
public function __invoke(Request $request, Response $response, callable $out = null)
{
$id = array_get($request->getCookieParams(), 'flarum_session');
if ($id) {
$session = Session::find($id);
$request = $request->withAttribute('session', $session);
if (! $this->isReading($request) && ! $this->tokensMatch($request)) {
throw new TokenMismatchException;
}
}
return $out ? $out($request, $response) : $response;
}
private function isReading(Request $request)
{
return in_array($request->getMethod(), ['HEAD', 'GET', 'OPTIONS']);
}
private function tokensMatch(Request $request)
{
$input = $request->getHeaderLine('X-CSRF-Token') ?: array_get($request->getParsedBody(), 'token');
return $request->getAttribute('session')->csrf_token === $input;
}
}

16
framework/core/src/Http/Middleware/AuthenticateWithHeader.php
View File

@@ -12,7 +12,7 @@ namespace Flarum\Http\Middleware;
use Flarum\Api\ApiKey;
use Flarum\Core\User;
use Flarum\Http\Session;
use Flarum\Http\AccessToken;
use Psr\Http\Message\ResponseInterface as Response;
use Psr\Http\Message\ServerRequestInterface as Request;
use Zend\Stratigility\MiddlewareInterface;
@@ -37,13 +37,15 @@ class AuthenticateWithHeader implements MiddlewareInterface
$id = substr($parts[0], strlen($this->prefix));
if (isset($parts[1]) && ApiKey::valid($id)) {
if ($actor = $this->getUser($parts[1])) {
$request = $request->withAttribute('actor', $actor);
}
} else {
$session = Session::find($id);
$actor = $this->getUser($parts[1]);
} elseif ($token = AccessToken::find($id)) {
$token->touch();
$request = $request->withAttribute('session', $session);
$actor = $token->user;
}
if (isset($actor)) {
$request = $request->withAttribute('actor', $actor);
}
}

46
framework/core/src/Http/Middleware/AuthenticateWithSession.php Normal file
View File

@@ -0,0 +1,46 @@
<?php
/*
* This file is part of Flarum.
*
* (c) Toby Zerner <toby.zerner@gmail.com>
*
* For the full copyright and license information, please view the LICENSE
* file that was distributed with this source code.
*/
namespace Flarum\Http\Middleware;
use Flarum\Core\Guest;
use Flarum\Core\User;
use Psr\Http\Message\ResponseInterface as Response;
use Psr\Http\Message\ServerRequestInterface as Request;
use Symfony\Component\HttpFoundation\Session\SessionInterface;
use Zend\Stratigility\MiddlewareInterface;
class AuthenticateWithSession implements MiddlewareInterface
{
/**
* {@inheritdoc}
*/
public function __invoke(Request $request, Response $response, callable $out = null)
{
$session = $request->getAttribute('session');
$actor = $this->getActor($session);
$request = $request->withAttribute('actor', $actor);
return $out ? $out($request, $response) : $response;;
}
private function getActor(SessionInterface $session)
{
$actor = User::find($session->get('user_id')) ?: new Guest;
if ($actor->exists) {
$actor->updateLastSeen()->save();
}
return $actor;
}
}

40
framework/core/src/Http/Middleware/RememberFromCookie.php Normal file
View File

@@ -0,0 +1,40 @@
<?php
/*
* This file is part of Flarum.
*
* (c) Toby Zerner <toby.zerner@gmail.com>
*
* For the full copyright and license information, please view the LICENSE
* file that was distributed with this source code.
*/
namespace Flarum\Http\Middleware;
use Flarum\Http\AccessToken;
use Psr\Http\Message\ResponseInterface as Response;
use Psr\Http\Message\ServerRequestInterface as Request;
use Zend\Stratigility\MiddlewareInterface;
class RememberFromCookie implements MiddlewareInterface
{
/**
* {@inheritdoc}
*/
public function __invoke(Request $request, Response $response, callable $out = null)
{
$id = array_get($request->getCookieParams(), 'flarum_remember');
if ($id) {
$token = AccessToken::find($id);
if ($token) {
$token->touch();
$session = $request->getAttribute('session');
$session->set('user_id', $token->user_id);
}
}
return $out ? $out($request, $response) : $response;
}
}

71
framework/core/src/Http/Middleware/StartSession.php
View File

@@ -10,72 +10,57 @@
namespace Flarum\Http\Middleware;
use Dflydev\FigCookies\Cookie;
use Dflydev\FigCookies\FigResponseCookies;
use Dflydev\FigCookies\SetCookie;
use Dflydev\FigCookies\SetCookies;
use Flarum\Http\Session;
use Flarum\Core\Guest;
use Flarum\Http\WriteSessionCookieTrait;
use Illuminate\Support\Str;
use Psr\Http\Message\ResponseInterface as Response;
use Psr\Http\Message\ServerRequestInterface as Request;
use Symfony\Component\HttpFoundation\Session\Session;
use Symfony\Component\HttpFoundation\Session\SessionInterface;
use Zend\Stratigility\MiddlewareInterface;
class StartSession implements MiddlewareInterface
{
use WriteSessionCookieTrait;
/**
* {@inheritdoc}
*/
public function __invoke(Request $request, Response $response, callable $out = null)
{
$this->collectGarbage();
$session = $this->startSession();
$session = $this->getSession($request);
$actor = $this->getActor($session);
$request = $request
->withAttribute('session', $session)
->withAttribute('actor', $actor);
$request = $request->withAttribute('session', $session);
$response = $out ? $out($request, $response) : $response;
return $this->addSessionCookieToResponse($response, $session, 'flarum_session');
}
private function getSession(Request $request)
{
$session = $request->getAttribute('session');
if (! $session) {
$session = Session::generate();
if ($session->has('csrf_token')) {
$response = $response->withHeader('X-CSRF-Token', $session->get('csrf_token'));
}
$session->extend()->save();
return $this->withSessionCookie($response, $session);
}
private function startSession()
{
$session = new Session;
$session->setName('flarum_session');
$session->start();
if (! $session->has('csrf_token')) {
$session->set('csrf_token', Str::random(40));
}
return $session;
}
private function getActor(Session $session)
private function withSessionCookie(Response $response, SessionInterface $session)
{
$actor = $session->user ?: new Guest;
if ($actor->exists) {
$actor->updateLastSeen()->save();
}
return $actor;
}
private function collectGarbage()
{
if ($this->hitsLottery()) {
Session::whereRaw('last_activity <= ? - duration * 60', [time()])->delete();
}
}
private function hitsLottery()
{
return mt_rand(1, 100) <= 1;
return FigResponseCookies::set(
$response,
SetCookie::create($session->getName(), $session->getId())
->withPath('/')
->withHttpOnly(true)
);
}
}

54
framework/core/src/Http/Rememberer.php Normal file
View File

@@ -0,0 +1,54 @@
<?php
/*
* This file is part of Flarum.
*
* (c) Toby Zerner <toby.zerner@gmail.com>
*
* For the full copyright and license information, please view the LICENSE
* file that was distributed with this source code.
*/
namespace Flarum\Http;
use Dflydev\FigCookies\FigResponseCookies;
use Dflydev\FigCookies\SetCookie;
use Psr\Http\Message\ResponseInterface;
class Rememberer
{
protected $cookieName = 'flarum_remember';
public function remember(ResponseInterface $response, $token)
{
return FigResponseCookies::set(
$response,
$this->createCookie()
->withValue($token)
->withMaxAge(14 * 24 * 60 * 60)
);
}
public function rememberUser(ResponseInterface $response, $userId)
{
$token = AccessToken::generate($userId);
$token->lifetime = 60 * 60 * 24 * 14;
$token->save();
return $this->remember($response, $token->id);
}
public function forget(ResponseInterface $response)
{
return FigResponseCookies::set(
$response,
$this->createCookie()->withMaxAge(-2628000)
);
}
private function createCookie()
{
return SetCookie::create($this->cookieName)
->withPath('/')
->withHttpOnly(true);
}
}

140
framework/core/src/Http/Session.php
View File

@@ -1,140 +0,0 @@
<?php
/*
* This file is part of Flarum.
*
* (c) Toby Zerner <toby.zerner@gmail.com>
*
* For the full copyright and license information, please view the LICENSE
* file that was distributed with this source code.
*/
namespace Flarum\Http;
use DateTime;
use Flarum\Core\User;
use Flarum\Database\AbstractModel;
use Illuminate\Support\Str;
/**
* @property string $id
* @property int $user_id
* @property int $last_activity
* @property int $duration
* @property \Carbon\Carbon $sudo_expiry_time
* @property string $csrf_token
* @property \Flarum\Core\User|null $user
*/
class Session extends AbstractModel
{
/**
* {@inheritdoc}
*/
protected $table = 'sessions';
/**
* Use a custom primary key for this model.
*
* @var bool
*/
public $incrementing = false;
/**
* {@inheritdoc}
*/
protected $dates = ['sudo_expiry_time'];
/**
* Generate a session.
*
* @param User|null $user
* @param int $duration How long before the session will expire, in minutes.
* @return static
*/
public static function generate(User $user = null, $duration = 60)
{
$session = new static;
$session->assign($user)
->regenerateId()
->renew()
->setDuration($duration);
return $session->extend();
}
/**
* Assign the session to a user.
*
* @param User|null $user
* @return $this
*/
public function assign(User $user = null)
{
$this->user_id = $user ? $user->id : null;
return $this;
}
/**
* Regenerate the session ID.
*
* @return $this
*/
public function regenerateId()
{
$this->id = sha1(uniqid('', true).Str::random(25).microtime(true));
$this->csrf_token = Str::random(40);
return $this;
}
/**
* @return $this
*/
public function extend()
{
$this->last_activity = time();
return $this;
}
/**
* @return $this
*/
public function renew()
{
$this->extend();
$this->sudo_expiry_time = time() + 30 * 60;
return $this;
}
/**
* @param int $duration How long before the session will expire, in minutes.
* @return $this
*/
public function setDuration($duration)
{
$this->duration = $duration;
return $this;
}
/**
* @return bool
*/
public function isSudo()
{
return $this->sudo_expiry_time > new DateTime;
}
/**
* Define the relationship with the owner of this access token.
*
* @return \Illuminate\Database\Eloquent\Relations\BelongsTo
*/
public function user()
{
return $this->belongsTo(User::class);
}
}

36
framework/core/src/Http/SessionAuthenticator.php Normal file
View File

@@ -0,0 +1,36 @@
<?php
/*
* This file is part of Flarum.
*
* (c) Toby Zerner <toby.zerner@gmail.com>
*
* For the full copyright and license information, please view the LICENSE
* file that was distributed with this source code.
*/
namespace Flarum\Http;
use DateTime;
use Symfony\Component\HttpFoundation\Session\SessionInterface;
class SessionAuthenticator
{
/**
* @param SessionInterface $session
* @param int $userId
*/
public function logIn(SessionInterface $session, $userId)
{
$session->migrate();
$session->set('user_id', $userId);
$session->set('sudo_expiry', new DateTime('+30 minutes'));
}
/**
* @param SessionInterface $session
*/
public function logOut(SessionInterface $session)
{
$session->invalidate();
}
}

29
framework/core/src/Http/WriteSessionCookieTrait.php
View File

@@ -1,29 +0,0 @@
<?php
/*
* This file is part of Flarum.
*
* (c) Toby Zerner <toby.zerner@gmail.com>
*
* For the full copyright and license information, please view the LICENSE
* file that was distributed with this source code.
*/
namespace Flarum\Http;
use Dflydev\FigCookies\FigResponseCookies;
use Dflydev\FigCookies\SetCookie;
use Psr\Http\Message\ResponseInterface as Response;
trait WriteSessionCookieTrait
{
protected function addSessionCookieToResponse(Response $response, Session $session, $cookieName)
{
return FigResponseCookies::set(
$response,
SetCookie::create($cookieName, $session->exists ? $session->id : null)
->withMaxAge($session->exists ? $session->duration * 60 : -2628000)
->withPath('/')
->withHttpOnly(true)
);
}
}

29
framework/core/src/Install/Controller/InstallController.php
View File

@@ -12,8 +12,8 @@ namespace Flarum\Install\Controller;
use Flarum\Core\User;
use Flarum\Http\Controller\ControllerInterface;
use Flarum\Http\Session;
use Flarum\Http\WriteSessionCookieTrait;
use Flarum\Http\AccessToken;
use Flarum\Http\SessionAuthenticator;
use Psr\Http\Message\ServerRequestInterface as Request;
use Zend\Diactoros\Response\HtmlResponse;
use Zend\Diactoros\Response;
@@ -21,33 +21,34 @@ use Flarum\Install\Console\InstallCommand;
use Flarum\Install\Console\DefaultsDataProvider;
use Symfony\Component\Console\Output\StreamOutput;
use Symfony\Component\Console\Input\StringInput;
use Illuminate\Contracts\Bus\Dispatcher;
use Exception;
use DateTime;
class InstallController implements ControllerInterface
{
use WriteSessionCookieTrait;
protected $command;
/**
* @var Dispatcher
* @var SessionAuthenticator
*/
protected $bus;
protected $authenticator;
public function __construct(InstallCommand $command, Dispatcher $bus)
/**
* InstallController constructor.
* @param InstallCommand $command
* @param SessionAuthenticator $authenticator
*/
public function __construct(InstallCommand $command, SessionAuthenticator $authenticator)
{
$this->command = $command;
$this->bus = $bus;
$this->authenticator = $authenticator;
}
/**
* @param Request $request
* @param array $routeParams
* @return \Psr\Http\Message\ResponseInterface
*/
public function handle(Request $request, array $routeParams = [])
public function handle(Request $request)
{
$input = $request->getParsedBody();
@@ -88,9 +89,9 @@ class InstallController implements ControllerInterface
return new HtmlResponse($e->getMessage(), 500);
}
$session = Session::generate(User::find(1), 60 * 24 * 14);
$session->save();
$session = $request->getAttribute('session');
$this->authenticator->logIn($session, 1);
return $this->addSessionCookieToResponse(new Response($body, 200), $session, 'flarum_session');
return new Response($body);
}
}

3
framework/core/views/reset.blade.php
View File

@@ -12,7 +12,8 @@
<h1>Reset Your Password</h1>
<form class="form-horizontal" role="form" method="POST" action="{{ app('Flarum\Forum\UrlGenerator')->toRoute('savePassword') }}">
<input type="hidden" name="token" value="{{ $token }}">
<input type="hidden" name="csrfToken" value="{{ $csrfToken }}">
<input type="hidden" name="passwordToken" value="{{ $passwordToken }}">
<div class="form-group">
<label class="control-label">Password</label>