Browse Source

Move Cookie to own class (with tests)

Move Authentication to App namespace
pull/7907/head
nupplaPhil 1 year ago
parent
commit
54392fab81
No known key found for this signature in database GPG Key ID: D8365C3D36B77D90
16 changed files with 394 additions and 113 deletions
  1. +1
    -1
      include/api.php
  2. +1
    -1
      index.php
  3. +2
    -2
      mod/dfrn_poll.php
  4. +1
    -1
      mod/openid.php
  5. +2
    -2
      src/App.php
  6. +43
    -38
      src/App/Authentication.php
  7. +6
    -62
      src/Core/Session.php
  8. +2
    -0
      src/Model/User.php
  9. +159
    -0
      src/Model/User/Cookie.php
  10. +1
    -1
      src/Module/Delegation.php
  11. +1
    -1
      src/Module/Login.php
  12. +1
    -1
      src/Module/Logout.php
  13. +1
    -1
      src/Module/TwoFactor/Recovery.php
  14. +1
    -1
      src/Module/TwoFactor/Verify.php
  15. +1
    -1
      src/Network/FKOAuth1.php
  16. +171
    -0
      tests/src/Model/User/CookieTest.php

+ 1
- 1
include/api.php View File

@ -12,7 +12,7 @@ use Friendica\Content\ContactSelector;
use Friendica\Content\Feature;
use Friendica\Content\Text\BBCode;
use Friendica\Content\Text\HTML;
use Friendica\Core\Authentication;
use Friendica\App\Authentication;
use Friendica\Core\Config;
use Friendica\Core\Hook;
use Friendica\Core\L10n;


+ 1
- 1
index.php View File

@ -23,5 +23,5 @@ $a->runFrontend(
$dice->create(\Friendica\App\Module::class),
$dice->create(\Friendica\App\Router::class),
$dice->create(\Friendica\Core\Config\PConfiguration::class),
$dice->create(\Friendica\Core\Authentication::class)
$dice->create(\Friendica\App\Authentication::class)
);

+ 2
- 2
mod/dfrn_poll.php View File

@ -6,7 +6,7 @@
use Friendica\App;
use Friendica\BaseObject;
use Friendica\Core\Authentication;
use Friendica\App\Authentication;
use Friendica\Core\Config;
use Friendica\Core\L10n;
use Friendica\Core\Logger;
@ -24,7 +24,7 @@ function dfrn_poll_init(App $a)
{
/** @var Authentication $authentication */
$authentication = BaseObject::getClass(Authentication::class);
$authentication->withSession($a, $_COOKIE);
$authentication->withSession($a);
$dfrn_id = $_GET['dfrn_id'] ?? '';
$type = ($_GET['type'] ?? '') ?: 'data';


+ 1
- 1
mod/openid.php View File

@ -5,7 +5,7 @@
use Friendica\App;
use Friendica\BaseObject;
use Friendica\Core\Authentication;
use Friendica\App\Authentication;
use Friendica\Core\Config;
use Friendica\Core\L10n;
use Friendica\Core\Logger;


+ 2
- 2
src/App.php View File

@ -8,7 +8,7 @@ use Exception;
use Friendica\App\Arguments;
use Friendica\App\BaseURL;
use Friendica\App\Page;
use Friendica\Core\Authentication;
use Friendica\App\Authentication;
use Friendica\Core\Config\Cache\ConfigCache;
use Friendica\Core\Config\Configuration;
use Friendica\Core\Config\PConfiguration;
@ -720,7 +720,7 @@ class App
Model\Profile::openWebAuthInit($token);
}
$auth->withSession($this, $_COOKIE);
$auth->withSession($this);
if (empty($_SESSION['authenticated'])) {
header('X-Account-Management-Status: none');


src/Core/Authentication.php → src/App/Authentication.php View File


+ 6
- 62
src/Core/Session.php View File

@ -6,10 +6,12 @@
namespace Friendica\Core;
use Friendica\App;
use Friendica\BaseObject;
use Friendica\Core\Session\CacheSessionHandler;
use Friendica\Core\Session\DatabaseSessionHandler;
use Friendica\Database\DBA;
use Friendica\Model\Contact;
use Friendica\Model\User;
use Friendica\Util\Strings;
/**
@ -171,73 +173,15 @@ class Session
return $_SESSION['authenticated'];
}
/**
* @brief Calculate the hash that is needed for the "Friendica" cookie
*
* @param array $user Record from "user" table
*
* @return string Hashed data
* @throws \Friendica\Network\HTTPException\InternalServerErrorException
*/
private static function getCookieHashForUser($user)
{
return hash_hmac(
"sha256",
hash_hmac("sha256", $user["password"], $user["prvkey"]),
Config::get("system", "site_prvkey")
);
}
/**
* @brief Set the "Friendica" cookie
*
* @param int $time
* @param array $user Record from "user" table
* @throws \Friendica\Network\HTTPException\InternalServerErrorException
*/
public static function setCookie($time, $user = [])
{
if ($time != 0) {
$time = $time + time();
}
if ($user) {
$value = json_encode([
"uid" => $user["uid"],
"hash" => self::getCookieHashForUser($user),
"ip" => ($_SERVER['REMOTE_ADDR'] ?? '') ?: '0.0.0.0'
]);
} else {
$value = "";
}
setcookie("Friendica", $value, $time, "/", "", (Config::get('system', 'ssl_policy') == App\BaseURL::SSL_POLICY_FULL), true);
}
/**
* @brief Checks if the "Friendica" cookie is set
*
* @param string $hash
* @param array $user Record from "user" table
*
* @return boolean True, if the cookie is set
*
* @throws \Friendica\Network\HTTPException\InternalServerErrorException
*/
public static function checkCookie(string $hash, array $user)
{
return hash_equals(
self::getCookieHashForUser($user),
$hash
);
}
/**
* @brief Kills the "Friendica" cookie and all session data
*/
public static function delete()
{
self::setCookie(-3600); // make sure cookie is deleted on browser close, as a security measure
/** @var User\Cookie $cookie */
$cookie = BaseObject::getClass(User\Cookie::class);
$cookie->clear();
$_SESSION = [];
session_unset();
session_destroy();
}


+ 2
- 0
src/Model/User.php View File

@ -9,12 +9,14 @@ namespace Friendica\Model;
use DivineOmega\PasswordExposed;
use Exception;
use Friendica\App;
use Friendica\Core\Config;
use Friendica\Core\Hook;
use Friendica\Core\L10n;
use Friendica\Core\Logger;
use Friendica\Core\PConfig;
use Friendica\Core\Protocol;
use Friendica\Core\Session;
use Friendica\Core\System;
use Friendica\Core\Worker;
use Friendica\Database\DBA;


+ 159
- 0
src/Model/User/Cookie.php View File

@ -0,0 +1,159 @@
<?php
namespace Friendica\Model\User;
use Friendica\App;
use Friendica\Core\Config\Configuration;
/**
* Interacting with the Friendica Cookie of a user
*/
class Cookie
{
/** @var int Default expire duration in days */
const DEFAULT_EXPIRE = 7;
/** @var string The name of the Friendica cookie */
const NAME = 'Friendica';
/** @var string The remote address of this node */
private $remoteAddr = '0.0.0.0';
/** @var bool True, if the connection is ssl enabled */
private $sslEnabled = false;
/** @var string The private key of this Friendica node */
private $sitePrivateKey;
/** @var int The default cookie lifetime */
private $lifetime = self::DEFAULT_EXPIRE * 24 * 60 * 60;
/** @var array The $_COOKIE array */
private $cookie;
public function __construct(Configuration $config, array $server = [], array $cookie = [])
{
if (!empty($server['REMOTE_ADDR'])) {
$this->remoteAddr = $server['REMOTE_ADDR'];
}
$this->sslEnabled = $config->get('system', 'ssl_policy') === App\BaseURL::SSL_POLICY_FULL;
$this->sitePrivateKey = $config->get('system', 'site_prvkey');
$authCookieDays = $config->get('system', 'auth_cookie_lifetime',
self::DEFAULT_EXPIRE);
$this->lifetime = $authCookieDays * 24 * 60 * 60;
$this->cookie = $cookie;
}
/**
* Checks if the Friendica cookie is set for a user
*
* @param string $hash The cookie hash
* @param string $password The user password
* @param string $privateKey The private Key of the user
*
* @return boolean True, if the cookie is set
*
*/
public function check(string $hash, string $password, string $privateKey)
{
return hash_equals(
$this->getHash($password, $privateKey),
$hash
);
}
/**
* Set the Friendica cookie for a user
*
* @param int $uid The user id
* @param string $password The user password
* @param string $privateKey The user private key
* @param int|null $seconds optional the seconds
*
* @return bool
*/
public function set(int $uid, string $password, string $privateKey, int $seconds = null)
{
if (!isset($seconds)) {
$seconds = $this->lifetime;
} elseif (isset($seconds) && $seconds != 0) {
$seconds = $seconds + time();
}
$value = json_encode([
'uid' => $uid,
'hash' => $this->getHash($password, $privateKey),
'ip' => $this->remoteAddr,
]);
return $this->setCookie(self::NAME, $value, $seconds,
'/', '', $this->sslEnabled, true);
}
/**
* Returns the data of the Friendicas user cookie
*
* @return mixed|null The JSON data, null if not set
*/
public function getData()
{
// When the "Friendica" cookie is set, take the value to authenticate and renew the cookie.
if (isset($this->cookie[self::NAME])) {
$data = json_decode($this->cookie[self::NAME]);
if (!empty($data)) {
return $data;
}
}
return null;
}
/**
* Clears the Friendica cookie of this user after leaving the page
*/
public function clear()
{
// make sure cookie is deleted on browser close, as a security measure
return $this->setCookie(self::NAME, '', -3600,
'/', '', $this->sslEnabled, true);
}
/**
* Calculate the hash that is needed for the Friendica cookie
*
* @param string $password The user password
* @param string $privateKey The private key of the user
*
* @return string Hashed data
*/
private function getHash(string $password, string $privateKey)
{
return hash_hmac(
'sha256',
hash_hmac('sha256', $password, $privateKey),
$this->sitePrivateKey
);
}
/**
* Send a cookie - protected, internal function for test-mocking possibility
*
* @link https://php.net/manual/en/function.setcookie.php
*
* @param string $name
* @param string $value [optional]
* @param int $expire [optional]
* @param string $path [optional]
* @param string $domain [optional]
* @param bool $secure [optional]
* @param bool $httponly [optional] <p>
*
* @return bool If output exists prior to calling this function,
*
* @since 4.0
* @since 5.0
*/
protected function setCookie(string $name, string $value = null, int $expire = null,
string $path = null, string $domain = null,
bool $secure = null, bool $httponly = null)
{
return setcookie($name, $value, $expire, $path, $domain, $secure, $httponly);
}
}

+ 1
- 1
src/Module/Delegation.php View File

@ -3,7 +3,7 @@
namespace Friendica\Module;
use Friendica\BaseModule;
use Friendica\Core\Authentication;
use Friendica\App\Authentication;
use Friendica\Core\Hook;
use Friendica\Core\L10n;
use Friendica\Core\Renderer;


+ 1
- 1
src/Module/Login.php View File

@ -7,7 +7,7 @@
namespace Friendica\Module;
use Friendica\BaseModule;
use Friendica\Core\Authentication;
use Friendica\App\Authentication;
use Friendica\Core\Config;
use Friendica\Core\Hook;
use Friendica\Core\L10n;


+ 1
- 1
src/Module/Logout.php View File

@ -6,7 +6,7 @@
namespace Friendica\Module;
use Friendica\BaseModule;
use Friendica\Core\Authentication;
use Friendica\App\Authentication;
use Friendica\Core\Cache;
use Friendica\Core\Hook;
use Friendica\Core\L10n;


+ 1
- 1
src/Module/TwoFactor/Recovery.php View File

@ -3,7 +3,7 @@
namespace Friendica\Module\TwoFactor;
use Friendica\BaseModule;
use Friendica\Core\Authentication;
use Friendica\App\Authentication;
use Friendica\Core\L10n;
use Friendica\Core\Renderer;
use Friendica\Core\Session;


+ 1
- 1
src/Module/TwoFactor/Verify.php View File

@ -3,7 +3,7 @@
namespace Friendica\Module\TwoFactor;
use Friendica\BaseModule;
use Friendica\Core\Authentication;
use Friendica\App\Authentication;
use Friendica\Core\L10n;
use Friendica\Core\PConfig;
use Friendica\Core\Renderer;


+ 1
- 1
src/Network/FKOAuth1.php View File

@ -5,7 +5,7 @@
namespace Friendica\Network;
use Friendica\BaseObject;
use Friendica\Core\Authentication;
use Friendica\App\Authentication;
use Friendica\Core\Logger;
use Friendica\Core\Session;
use Friendica\Database\DBA;


+ 171
- 0
tests/src/Model/User/CookieTest.php View File

@ -0,0 +1,171 @@
<?php
namespace Friendica\Testsrc\Model\User;
use Friendica\Core\Config\Configuration;
use Friendica\Model\User\Cookie;
use Friendica\Test\DatabaseTest;
use Mockery\MockInterface;
class CookieTest extends DatabaseTest
{
/** @var MockInterface|Configuration */
private $config;
protected function setUp()
{
parent::setUp();;
$this->config = \Mockery::mock(Configuration::class);
}
public function testInstance()
{
$this->config->shouldReceive('get')->with('system', 'ssl_policy')->andReturn(1)->once();
$this->config->shouldReceive('get')->with('system', 'site_prvkey')->andReturn('1235')->once();
$this->config->shouldReceive('get')->with('system', 'auth_cookie_lifetime', Cookie::DEFAULT_EXPIRE)->andReturn('7')->once();
$cookie = new Cookie($this->config, []);
$this->assertInstanceOf(Cookie::class, $cookie);
}
public function dataGet()
{
return [
'default' => [
'cookieData' => [
Cookie::NAME => json_encode([
'uid' => -1,
'hash' => 12345,
'ip' => '127.0.0.1',
])
],
'hasValues' => true,
'uid' => -1,
'hash' => 12345,
'ip' => '127.0.0.1',
],
'missing' => [
'cookieData' => [
],
'hasValues' => false,
'uid' => null,
'hash' => null,
'ip' => null,
],
'invalid' => [
'cookieData' => [
Cookie::NAME => 'test',
],
'hasValues' => false,
'uid' => null,
'hash' => null,
'ip' => null,
],
'incomplete' => [
'cookieData' => [
Cookie::NAME => json_encode([
'uid' => -1,
'hash' => 12345,
])
],
'hasValues' => true,
'uid' => -1,
'hash' => 12345,
'ip' => null,
],
];
}
/**
* @dataProvider dataGet
*/
public function testGet(array $cookieData, bool $hasValues, $uid, $hash, $ip)
{
$this->config->shouldReceive('get')->with('system', 'ssl_policy')->andReturn(1)->once();
$this->config->shouldReceive('get')->with('system', 'site_prvkey')->andReturn('1235')->once();
$this->config->shouldReceive('get')->with('system', 'auth_cookie_lifetime', Cookie::DEFAULT_EXPIRE)->andReturn('7')->once();
$cookie = new Cookie($this->config, [], $cookieData);
$this->assertInstanceOf(Cookie::class, $cookie);
$assertData = $cookie->getData();
if (!$hasValues) {
$this->assertEmpty($assertData);
} else {
$this->assertNotEmpty($assertData);
if (isset($uid)) {
$this->assertObjectHasAttribute('uid', $assertData);
$this->assertEquals($uid, $assertData->uid);
} else {
$this->assertObjectNotHasAttribute('uid', $assertData);
}
if (isset($hash)) {
$this->assertObjectHasAttribute('hash', $assertData);
$this->assertEquals($hash, $assertData->hash);
} else {
$this->assertObjectNotHasAttribute('hash', $assertData);
}
if (isset($ip)) {
$this->assertObjectHasAttribute('ip', $assertData);
$this->assertEquals($ip, $assertData->ip);
} else {
$this->assertObjectNotHasAttribute('ip', $assertData);
}
}
}
public function dataCheck()
{
return [
'default' => [
'serverPrivateKey' => 'serverkey',
'userPrivateKey' => 'userkey',
'password' => 'test',
'assertHash' => 'e9b4eb16275a2907b5659d22905b248221d0517dde4a9d5c320b8fe051b1267b',
'assertTrue' => true,
],
'emptyUser' => [
'serverPrivateKey' => 'serverkey',
'userPrivateKey' => '',
'password' => '',
'assertHash' => '',
'assertTrue' => false,
],
'invalid' => [
'serverPrivateKey' => 'serverkey',
'userPrivateKey' => 'bla',
'password' => 'nope',
'assertHash' => 'real wrong!',
'assertTrue' => false,
]
];
}
/**
* @dataProvider dataCheck
*/
public function testCheck(string $serverPrivateKey, string $userPrivateKey, string $password, string $assertHash, bool $assertTrue)
{
$this->config->shouldReceive('get')->with('system', 'ssl_policy')->andReturn(1)->once();
$this->config->shouldReceive('get')->with('system', 'site_prvkey')->andReturn($serverPrivateKey)->once();
$this->config->shouldReceive('get')->with('system', 'auth_cookie_lifetime', Cookie::DEFAULT_EXPIRE)->andReturn('7')->once();
$cookie = new Cookie($this->config, []);
$this->assertInstanceOf(Cookie::class, $cookie);
$this->assertEquals($assertTrue, $cookie->check($assertHash, $password, $userPrivateKey));
}
public function testSet()
{
$this->markTestIncomplete('Needs mocking of setcookie() first.');
}
public function testClear()
{
$this->markTestIncomplete('Needs mocking of setcookie() first.');
}
}

Loading…
Cancel
Save