Rough encrypt

2021-09-02 11:23:35 -04:00
parent 65a34f5b65
commit f8f37fe6e2
15 changed files with 566 additions and 17 deletions
--- a/classes/misc/csrf.php
+++ b/classes/misc/csrf.php
@@ -0,0 +1,189 @@
+<?php
+/*
+ * Copyright (C) 2018 josh.north@point808.com
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+namespace classes\misc;
+
+class csrf {
+	/**
+	 * Generates a new token
+	 * @return [object]   token
+	 */
+	protected static function setNewToken(string $page, int $expiry) {
+
+		$token = new \stdClass();
+		$token->page   = $page;
+		$token->expiry = time() + $expiry;
+		$token->sessiontoken  = base64_encode(random_bytes(32));
+		$token->cookietoken   = md5(base64_encode(random_bytes(32)));
+
+                setcookie ( self::makeCookieName($page), $token->cookietoken, [
+                    'expires' => $token->expiry,
+                    'secure' => false,
+                    'httponly' => false,
+                    'samesite' => 'Lax',
+                ]);
+
+		return $_SESSION['csrftokens'][$page] = $token;
+	}
+
+
+	/**
+	 * Returns a session token for a page
+	 * @param  [string]   page name
+	 * @return [object]   token
+	 */
+	protected static function getSessionToken(string $page) {
+
+		return !empty($_SESSION['csrftokens'][$page]) ? $_SESSION['csrftokens'][$page] : null;
+	}
+
+
+	/**
+	 * [getCookieToken description]
+	 * @param  [string]   page name
+	 * @return [string]   token string / empty string
+	 */
+	protected static function getCookieToken(string $page) : string {
+
+		$value = self::makeCookieName($page);
+
+		return !empty($_COOKIE[$value]) ? $_COOKIE[$value] : '';
+	}
+
+
+	/**
+	 * Centralised method to make the cookie name
+	 * @param  [string]   page name
+	 * @return [string]   cookie token name / empty string
+	 */
+	protected static function makeCookieName(string $page) : string {
+
+		if (empty($page)) {
+			return '';
+		}
+
+		return 'csrftoken-' . substr(md5($page), 0, 10);
+	}
+
+	/**
+	 * Confirms that the superglobal $_SESSION exists
+	 * @return [bool]  Whether the session exists or not
+	 */
+	protected static function confirmSessionStarted() : bool {
+
+		if (!isset($_SESSION)) {
+			trigger_error('Session has not been started.', E_USER_ERROR);
+			return false;
+		}
+
+		return true;
+	}
+
+	/**
+	 * Returns a page's token.
+	 * - Page name is required so that users can browse to multiple pages and allows for each
+	 *   page to have its own unique token
+	 *
+	 * @param  [string]   page name
+	 * @param  [int]      expiry time
+	 * @return [mixed]    markup to be used in the form, false on data missing
+	 */
+	public static function getInputToken(string $page, int $expiry = 1800) {
+
+		self::confirmSessionStarted();
+
+		if (empty($page)) {
+			trigger_error('Page is missing.', E_USER_ERROR);
+			return false;
+		}
+
+		$token = (self::getSessionToken($page) ?? self::setNewToken($page, $expiry));
+
+		return '<input type="hidden" id="csrftoken" name="csrftoken" value="'. $token->sessiontoken .'">';
+	}
+
+
+	/**
+	 * Verify's a request token against a session token
+	 * @param  [string]    page name
+	 * @param  [string]    token from the request
+	 * @return [bool]      whether the request submission is valid or not
+	 */
+	public static function verifyToken(string $page, $removeToken = false, $requestToken = null) : bool {
+
+		self::confirmSessionStarted();
+
+		// if the request token has not been passed, check POST
+		$requestToken = ($requestToken ?? $_POST['csrftoken'] ?? null);
+
+		if (empty($page)) {
+			trigger_error('Page alias is missing', E_USER_WARNING);
+			return false;
+		}
+		else if (empty($requestToken)) {
+			trigger_error('Token is missing', E_USER_WARNING);
+			return false;
+		}
+
+		$token = self::getSessionToken($page);
+
+		// if the time is greater than the expiry form submission window
+		if (empty($token) || time() > (int) $token->expiry) {
+			self::removeToken($page);
+			return false;
+		}
+
+		// check the hash matches the Session / Cookie
+		$sessionConfirm = hash_equals($token->sessiontoken, $requestToken);
+		$cookieConfirm  = hash_equals($token->cookietoken, self::getCookieToken($page));
+
+		// remove the token
+		if ($removeToken) {
+			self::removeToken($page);
+		}
+
+		// both session and cookie match
+		if ($sessionConfirm && $cookieConfirm) {
+			return true;
+		}
+
+		return false;
+	}
+
+
+	/**
+	 * Removes a token from the session
+	 * @param  [string] $page    page name
+	 * @return [bool]            successfully removed or not
+	 */
+	public static function removeToken(string $page) : bool {
+
+		self::confirmSessionStarted();
+
+		if (empty($page)) {
+			return false;
+		}
+
+		unset($_COOKIE[self::makeCookieName($page)], $_SESSION['csrftokens'][$page]);
+
+		return true;
+	}
+
+
+
+} // Csrf
--- a/classes/misc/date.php
+++ b/classes/misc/date.php
@@ -0,0 +1,20 @@
+<?php
+
+/* 
+ * To change this license header, choose License Headers in Project Properties.
+ * To change this template file, choose Tools | Templates
+ * and open the template in the editor.
+ */
+
+namespace classes\misc;
+
+class date {
+  
+  
+      public function getUTC () {
+        return gmdate('Y-m-d H:i:s');
+    }
+  
+  
+  
+}
--- a/classes/misc/index.php
+++ b/classes/misc/index.php
@@ -0,0 +1,26 @@
+<?php
+/*
+ * Copyright (C) 2018 josh.north@point808.com
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+    ini_set('session.gc_maxlifetime', 24*60*60);                                // MIN SESSION
+    ini_set('session.gc_probability', 1);                                       // GC RATES
+    ini_set('session.gc_divisor', 100);                                         // TIMES
+    ini_set('session.use_cookies', '1');
+    ini_set('session.use_only_cookies', '1');
+    ini_set('session.cookie_lifetime', '0');
+    ini_set('session.cookie_secure', '0');
+    ini_set('session.cookie_httponly', '0');
+    ini_set('session.cookie_samesite', 'Lax');
--- a/classes/misc/simple.php
+++ b/classes/misc/simple.php
@@ -0,0 +1,21 @@
+<?php
+
+/* 
+ * To change this license header, choose License Headers in Project Properties.
+ * To change this template file, choose Tools | Templates
+ * and open the template in the editor.
+ */
+
+
+namespace classes\misc;
+use App\LobbySIO\Config\Registry;
+
+class simple {
+  
+    public function getHideFooter () {
+        return Registry::HIDEFOOTER;
+    }
+
+  
+  
+}