mirror of
https://github.com/slawkens/myaac.git
synced 2025-10-16 18:53:26 +02:00
CSRF Protection (#235)
* Fix alert class name * feature: csrf protection * Cosmetics * Fix token generate * Admin Panel: changelogs csrf protection * news/id route * Refactor admin newses + add csrf * Use admin.links instead * Admin panel: Pages csrf * Menus: better csrf + add success message on reset colors * Plugins csrf * Move definitions * add info function, same as note($message) * Update mailer.php * Fix new page/news links * clear_cache & maintenance csrf * Formatting * Fix news type * Fix changelog link * Add new changelog link * More info to confirm dialog * This is always true
This commit is contained in:
Slawomir Boczek
95
system/src/CsrfToken.php
Normal file
95
system/src/CsrfToken.php
Normal file
@@ -0,0 +1,95 @@
|
||||
<?php
|
||||
/**
|
||||
* CsrfToken
|
||||
*
|
||||
* @package MyAAC
|
||||
* @author Znote
|
||||
* @author Slawkens <slawkens@gmail.com>
|
||||
* @copyright 2023 MyAAC
|
||||
* @link https://my-aac.org
|
||||
*/
|
||||
|
||||
namespace MyAAC;
|
||||
|
||||
class CsrfToken
|
||||
{
|
||||
public static function generate(): void
|
||||
{
|
||||
$token = sha1(uniqid(time(), true));
|
||||
|
||||
setSession('csrf_token', $token);
|
||||
}
|
||||
|
||||
/**
|
||||
* Displays a random token to prevent CSRF attacks.
|
||||
*
|
||||
* @access public
|
||||
* @static true
|
||||
* @return void
|
||||
**/
|
||||
public static function create(): void {
|
||||
echo '<input type="hidden" name="csrf_token" value="' . self::get() . '" />';
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns the active token, if there is one.
|
||||
*
|
||||
* @access public
|
||||
* @static true
|
||||
* @return mixed
|
||||
**/
|
||||
public static function get(): mixed
|
||||
{
|
||||
$token = getSession('csrf_token');
|
||||
return $token ?? false;
|
||||
}
|
||||
|
||||
/**
|
||||
* Validates whether the active token is valid or not.
|
||||
*
|
||||
* @param string $post
|
||||
* @access public
|
||||
* @static true
|
||||
* @return boolean
|
||||
**/
|
||||
public static function isValid($post): bool
|
||||
{
|
||||
if (!setting('core.csrf_protection')) {
|
||||
return true;
|
||||
}
|
||||
|
||||
// Token doesn't exist yet, return false.
|
||||
if (!self::get()) {
|
||||
return false;
|
||||
}
|
||||
|
||||
return ($post == getSession('csrf_token'));
|
||||
}
|
||||
|
||||
/**
|
||||
* Destroys the active token.
|
||||
*
|
||||
* @access protected
|
||||
* @static true
|
||||
* @return void
|
||||
**/
|
||||
protected static function reset(): void {
|
||||
unsetSession('csrf_token');
|
||||
}
|
||||
|
||||
/**
|
||||
* Displays information on both the post token and the session token.
|
||||
*
|
||||
* @param string $post
|
||||
* @access public
|
||||
* @static true
|
||||
* @return void
|
||||
**/
|
||||
public static function debug($post): void
|
||||
{
|
||||
echo '<pre>', var_export([
|
||||
'post' => $post,
|
||||
'token' => self::get()
|
||||
], true), '</pre>';
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user