aboutsummaryrefslogtreecommitdiffhomepage
path: root/application/security
diff options
context:
space:
mode:
authorArthurHoaro <arthur@hoa.ro>2020-08-27 10:27:34 +0200
committerGitHub <noreply@github.com>2020-08-27 10:27:34 +0200
commitaf41d5ab5d2bd3ba64d052c997bc6afa6966a63c (patch)
tree8fad2829c55f94022e359fa8914e11f80a2afc2a /application/security
parentb8e3630f2ecd142d397b1b062a346a667bb78595 (diff)
parent0c6fdbe12bbbb336348666b14b82096f24d5858b (diff)
downloadShaarli-af41d5ab5d2bd3ba64d052c997bc6afa6966a63c.tar.gz
Shaarli-af41d5ab5d2bd3ba64d052c997bc6afa6966a63c.tar.zst
Shaarli-af41d5ab5d2bd3ba64d052c997bc6afa6966a63c.zip
Merge pull request #1511 from ArthurHoaro/wip-slim-routing
Diffstat (limited to 'application/security')
-rw-r--r--application/security/CookieManager.php33
-rw-r--r--application/security/LoginManager.php16
-rw-r--r--application/security/SessionManager.php107
3 files changed, 144 insertions, 12 deletions
diff --git a/application/security/CookieManager.php b/application/security/CookieManager.php
new file mode 100644
index 00000000..cde4746e
--- /dev/null
+++ b/application/security/CookieManager.php
@@ -0,0 +1,33 @@
1<?php
2
3declare(strict_types=1);
4
5namespace Shaarli\Security;
6
7class CookieManager
8{
9 /** @var string Name of the cookie set after logging in **/
10 public const STAY_SIGNED_IN = 'shaarli_staySignedIn';
11
12 /** @var mixed $_COOKIE set by reference */
13 protected $cookies;
14
15 public function __construct(array &$cookies)
16 {
17 $this->cookies = $cookies;
18 }
19
20 public function setCookieParameter(string $key, string $value, int $expires, string $path): self
21 {
22 $this->cookies[$key] = $value;
23
24 setcookie($key, $value, $expires, $path);
25
26 return $this;
27 }
28
29 public function getCookieParameter(string $key, string $default = null): ?string
30 {
31 return $this->cookies[$key] ?? $default;
32 }
33}
diff --git a/application/security/LoginManager.php b/application/security/LoginManager.php
index 39ec9b2e..d74c3118 100644
--- a/application/security/LoginManager.php
+++ b/application/security/LoginManager.php
@@ -9,9 +9,6 @@ use Shaarli\Config\ConfigManager;
9 */ 9 */
10class LoginManager 10class LoginManager
11{ 11{
12 /** @var string Name of the cookie set after logging in **/
13 public static $STAY_SIGNED_IN_COOKIE = 'shaarli_staySignedIn';
14
15 /** @var array A reference to the $_GLOBALS array */ 12 /** @var array A reference to the $_GLOBALS array */
16 protected $globals = []; 13 protected $globals = [];
17 14
@@ -32,17 +29,21 @@ class LoginManager
32 29
33 /** @var string User sign-in token depending on remote IP and credentials */ 30 /** @var string User sign-in token depending on remote IP and credentials */
34 protected $staySignedInToken = ''; 31 protected $staySignedInToken = '';
32 /** @var CookieManager */
33 protected $cookieManager;
35 34
36 /** 35 /**
37 * Constructor 36 * Constructor
38 * 37 *
39 * @param ConfigManager $configManager Configuration Manager instance 38 * @param ConfigManager $configManager Configuration Manager instance
40 * @param SessionManager $sessionManager SessionManager instance 39 * @param SessionManager $sessionManager SessionManager instance
40 * @param CookieManager $cookieManager CookieManager instance
41 */ 41 */
42 public function __construct($configManager, $sessionManager) 42 public function __construct($configManager, $sessionManager, $cookieManager)
43 { 43 {
44 $this->configManager = $configManager; 44 $this->configManager = $configManager;
45 $this->sessionManager = $sessionManager; 45 $this->sessionManager = $sessionManager;
46 $this->cookieManager = $cookieManager;
46 $this->banManager = new BanManager( 47 $this->banManager = new BanManager(
47 $this->configManager->get('security.trusted_proxies', []), 48 $this->configManager->get('security.trusted_proxies', []),
48 $this->configManager->get('security.ban_after'), 49 $this->configManager->get('security.ban_after'),
@@ -86,10 +87,9 @@ class LoginManager
86 /** 87 /**
87 * Check user session state and validity (expiration) 88 * Check user session state and validity (expiration)
88 * 89 *
89 * @param array $cookie The $_COOKIE array
90 * @param string $clientIpId Client IP address identifier 90 * @param string $clientIpId Client IP address identifier
91 */ 91 */
92 public function checkLoginState($cookie, $clientIpId) 92 public function checkLoginState($clientIpId)
93 { 93 {
94 if (! $this->configManager->exists('credentials.login')) { 94 if (! $this->configManager->exists('credentials.login')) {
95 // Shaarli is not configured yet 95 // Shaarli is not configured yet
@@ -97,9 +97,7 @@ class LoginManager
97 return; 97 return;
98 } 98 }
99 99
100 if (isset($cookie[self::$STAY_SIGNED_IN_COOKIE]) 100 if ($this->staySignedInToken === $this->cookieManager->getCookieParameter(CookieManager::STAY_SIGNED_IN)) {
101 && $cookie[self::$STAY_SIGNED_IN_COOKIE] === $this->staySignedInToken
102 ) {
103 // The user client has a valid stay-signed-in cookie 101 // The user client has a valid stay-signed-in cookie
104 // Session information is updated with the current client information 102 // Session information is updated with the current client information
105 $this->sessionManager->storeLoginInfo($clientIpId); 103 $this->sessionManager->storeLoginInfo($clientIpId);
diff --git a/application/security/SessionManager.php b/application/security/SessionManager.php
index 994fcbe5..76b0afe8 100644
--- a/application/security/SessionManager.php
+++ b/application/security/SessionManager.php
@@ -8,6 +8,14 @@ use Shaarli\Config\ConfigManager;
8 */ 8 */
9class SessionManager 9class SessionManager
10{ 10{
11 public const KEY_LINKS_PER_PAGE = 'LINKS_PER_PAGE';
12 public const KEY_VISIBILITY = 'visibility';
13 public const KEY_UNTAGGED_ONLY = 'untaggedonly';
14
15 public const KEY_SUCCESS_MESSAGES = 'successes';
16 public const KEY_WARNING_MESSAGES = 'warnings';
17 public const KEY_ERROR_MESSAGES = 'errors';
18
11 /** @var int Session expiration timeout, in seconds */ 19 /** @var int Session expiration timeout, in seconds */
12 public static $SHORT_TIMEOUT = 3600; // 1 hour 20 public static $SHORT_TIMEOUT = 3600; // 1 hour
13 21
@@ -23,16 +31,35 @@ class SessionManager
23 /** @var bool Whether the user should stay signed in (LONG_TIMEOUT) */ 31 /** @var bool Whether the user should stay signed in (LONG_TIMEOUT) */
24 protected $staySignedIn = false; 32 protected $staySignedIn = false;
25 33
34 /** @var string */
35 protected $savePath;
36
26 /** 37 /**
27 * Constructor 38 * Constructor
28 * 39 *
29 * @param array $session The $_SESSION array (reference) 40 * @param array $session The $_SESSION array (reference)
30 * @param ConfigManager $conf ConfigManager instance 41 * @param ConfigManager $conf ConfigManager instance
42 * @param string $savePath Session save path returned by builtin function session_save_path()
31 */ 43 */
32 public function __construct(& $session, $conf) 44 public function __construct(&$session, $conf, string $savePath)
33 { 45 {
34 $this->session = &$session; 46 $this->session = &$session;
35 $this->conf = $conf; 47 $this->conf = $conf;
48 $this->savePath = $savePath;
49 }
50
51 /**
52 * Initialize XSRF token and links per page session variables.
53 */
54 public function initialize(): void
55 {
56 if (!isset($this->session['tokens'])) {
57 $this->session['tokens'] = [];
58 }
59
60 if (!isset($this->session['LINKS_PER_PAGE'])) {
61 $this->session['LINKS_PER_PAGE'] = $this->conf->get('general.links_per_page', 20);
62 }
36 } 63 }
37 64
38 /** 65 /**
@@ -202,4 +229,78 @@ class SessionManager
202 { 229 {
203 return $this->session; 230 return $this->session;
204 } 231 }
232
233 /**
234 * @param mixed $default value which will be returned if the $key is undefined
235 *
236 * @return mixed Content stored in session
237 */
238 public function getSessionParameter(string $key, $default = null)
239 {
240 return $this->session[$key] ?? $default;
241 }
242
243 /**
244 * Store a variable in user session.
245 *
246 * @param string $key Session key
247 * @param mixed $value Session value to store
248 *
249 * @return $this
250 */
251 public function setSessionParameter(string $key, $value): self
252 {
253 $this->session[$key] = $value;
254
255 return $this;
256 }
257
258 /**
259 * Store a variable in user session.
260 *
261 * @param string $key Session key
262 *
263 * @return $this
264 */
265 public function deleteSessionParameter(string $key): self
266 {
267 unset($this->session[$key]);
268
269 return $this;
270 }
271
272 public function getSavePath(): string
273 {
274 return $this->savePath;
275 }
276
277 /*
278 * Next public functions wrapping native PHP session API.
279 */
280
281 public function destroy(): bool
282 {
283 $this->session = [];
284
285 return session_destroy();
286 }
287
288 public function start(): bool
289 {
290 if (session_status() === PHP_SESSION_ACTIVE) {
291 $this->destroy();
292 }
293
294 return session_start();
295 }
296
297 public function cookieParameters(int $lifeTime, string $path, string $domain): bool
298 {
299 return session_set_cookie_params($lifeTime, $path, $domain);
300 }
301
302 public function regenerateId(bool $deleteOldSession = false): bool
303 {
304 return session_regenerate_id($deleteOldSession);
305 }
205} 306}