Merge pull request #58 from blitz-php/devs

feat: ajout du middleware de protection CSRF

Author: dimtrovich

src/Debug/ExceptionManager.php

@@ -11,6 +11,8 @@
 
 namespace BlitzPHP\Debug;
 
+use BlitzPHP\Exceptions\HttpException;
+use BlitzPHP\Exceptions\TokenMismatchException;
 use BlitzPHP\View\View;
 use Symfony\Component\Finder\SplFileInfo;
 use Throwable;
@@ -35,6 +37,8 @@ class ExceptionManager
     public static function registerHttpErrors(Run $debugger, array $config): Run
     {
         return $debugger->pushHandler(static function (Throwable $exception, InspectorInterface $inspector, RunInterface $run) use ($config): int {
+            $exception = self::prepareException($exception);
+
             $exception_code = $exception->getCode();
             if ($exception_code >= 400 && $exception_code < 600) {
                 $run->sendHttpCode($exception_code);
@@ -52,7 +56,7 @@ public static function registerHttpErrors(Run $debugger, array $config): Run
 
             if (in_array((string) $exception->getCode(), $files, true)) {
                 $view = new View();
-                $view->setAdapter(config('view.active_adapter', 'native'), ['view_path_locator' => $config['error_view_path']])
+                $view->setAdapter(config('view.active_adapter', 'native'), ['view_path' => $config['error_view_path']])
                     ->display((string) $exception->getCode())
                     ->setData(['message' => $exception->getMessage()])
                     ->render();
@@ -166,4 +170,16 @@ private static function setBlacklist(PrettyPageHandler $handler, array $blacklis
 
         return $handler;
     }
+
+    /**
+     * Prepare exception for rendering.
+     */
+    private static function prepareException(Throwable $e): Throwable
+    {
+        if ($e instanceof TokenMismatchException) {
+            $e = new HttpException($e->getMessage(), 419, $e);
+        }
+
+        return $e;
+    }
 }

src/Exceptions/TokenMismatchException.php

@@ -0,0 +1,16 @@
+<?php
+
+/**
+ * This file is part of Blitz PHP framework.
+ *
+ * (c) 2022 Dimitri Sitchet Tomkeu <devcode.dst@gmail.com>
+ *
+ * For the full copyright and license information, please view
+ * the LICENSE file that was distributed with this source code.
+ */
+
+namespace BlitzPHP\Exceptions;
+
+class TokenMismatchException extends FrameworkException
+{
+}

src/Middlewares/VerifyCsrfToken.php

@@ -0,0 +1,173 @@
+<?php
+
+/**
+ * This file is part of Blitz PHP framework.
+ *
+ * (c) 2022 Dimitri Sitchet Tomkeu <devcode.dst@gmail.com>
+ *
+ * For the full copyright and license information, please view
+ * the LICENSE file that was distributed with this source code.
+ */
+
+namespace BlitzPHP\Middlewares;
+
+use BlitzPHP\Contracts\Http\ResponsableInterface;
+use BlitzPHP\Contracts\Security\EncrypterInterface;
+use BlitzPHP\Exceptions\EncryptionException;
+use BlitzPHP\Exceptions\TokenMismatchException;
+use BlitzPHP\Http\Request;
+use BlitzPHP\Http\Response;
+use BlitzPHP\Session\Cookie\Cookie;
+use BlitzPHP\Session\Cookie\CookieValuePrefix;
+use BlitzPHP\Traits\Support\InteractsWithTime;
+use Psr\Http\Message\ResponseInterface;
+use Psr\Http\Message\ServerRequestInterface;
+use Psr\Http\Server\MiddlewareInterface;
+use Psr\Http\Server\RequestHandlerInterface;
+
+class VerifyCsrfToken implements MiddlewareInterface
+{
+    use InteractsWithTime;
+
+    /**
+     * Les URI qui doivent être exclus de la vérification CSRF.
+     */
+    protected array $except = [];
+
+    /**
+     * Indique si le cookie XSRF-TOKEN doit être défini dans la réponse.
+     */
+    protected bool $addHttpCookie = true;
+
+    /**
+     * Constructeur
+     */
+    public function __construct(protected EncrypterInterface $encrypter)
+    {
+    }
+
+    /**
+     * {@inheritDoc}
+     *
+     * @param Request $request
+     */
+    public function process(ServerRequestInterface $request, RequestHandlerInterface $handler): ResponseInterface
+    {
+        if ($this->isReading($request) || $this->runningUnitTests() || $this->inExceptArray($request) || $this->tokensMatch($request)) {
+            return tap($handler->handle($request), function ($response) use ($request) {
+                if ($this->shouldAddXsrfTokenCookie()) {
+                    $this->addCookieToResponse($request, $response);
+                }
+            });
+        }
+
+        throw new TokenMismatchException('Erreur de jeton CSRF.');
+    }
+
+    /**
+     * Détermine si la requête HTTP utilise un verbe « read ».
+     */
+    protected function isReading(Request $request): bool
+    {
+        return in_array($request->method(), ['HEAD', 'GET', 'OPTIONS'], true);
+    }
+
+    /**
+     * Détermine si l'application exécute des tests unitaires.
+     */
+    protected function runningUnitTests(): bool
+    {
+        return is_cli() && on_test();
+    }
+
+    /**
+     * Détermine si la requête comporte un URI qui doit faire l'objet d'une vérification CSRF.
+     */
+    protected function inExceptArray(Request $request): bool
+    {
+        foreach ($this->except as $except) {
+            if ($except !== '/') {
+                $except = trim($except, '/');
+            }
+
+            if ($request->fullUrlIs($except) || $request->pathIs($except)) {
+                return true;
+            }
+        }
+
+        return false;
+    }
+
+    /**
+     * Détermine si les jetons CSRF de session et d'entrée correspondent.
+     */
+    protected function tokensMatch(Request $request): bool
+    {
+        $token = $this->getTokenFromRequest($request);
+
+        return is_string($request->session()->token())
+               && is_string($token)
+               && hash_equals($request->session()->token(), $token);
+    }
+
+    /**
+     * Récupère le jeton CSRF de la requête.
+     */
+    protected function getTokenFromRequest(Request $request): ?string
+    {
+        $token = $request->input('_token') ?: $request->header('X-CSRF-TOKEN');
+
+        if (! $token && $header = $request->header('X-XSRF-TOKEN')) {
+            try {
+                $token = CookieValuePrefix::remove($this->encrypter->decrypt($header));
+            } catch (EncryptionException) {
+                $token = '';
+            }
+        }
+
+        return $token;
+    }
+
+    /**
+     * Détermine si le cookie doit être ajouté à la réponse.
+     */
+    public function shouldAddXsrfTokenCookie(): bool
+    {
+        return $this->addHttpCookie;
+    }
+
+    /**
+     * Ajoute le jeton CSRF aux cookies de la réponse.
+     *
+     * @param Response $response
+     */
+    protected function addCookieToResponse(Request $request, $response): ResponseInterface
+    {
+        if ($response instanceof ResponsableInterface) {
+            $response = $response->toResponse($request);
+        }
+
+        if (! ($response instanceof Response)) {
+            return $response;
+        }
+
+        $config = config('cookie');
+
+        return $response->withCookie(Cookie::create('XSRF-TOKEN', $request->session()->token(), [
+            'expires'  => $this->availableAt(config('session.expiration')),
+            'path'     => $config['path'],
+            'domain'   => $config['domain'],
+            'secure'   => $config['secure'],
+            'httponly' => false,
+            'samesite' => $config['samesite'] ?? null,
+        ]));
+    }
+
+    /**
+     * Détermine si le contenu du cookie doit être sérialisé.
+     */
+    public static function serialized(): bool
+    {
+        return EncryptCookies::serialized('XSRF-TOKEN');
+    }
+}

src/View/Adapters/AbstractAdapter.php

@@ -50,7 +50,7 @@ abstract class AbstractAdapter implements RendererInterface
     /**
      * Instance de Locator lorsque nous devons tenter de trouver une vue qui n'est pas à l'emplacement standard.
      */
-    protected ?LocatorInterface $locator = null;
+    protected LocatorInterface $locator;
 
     /**
      * Le nom de la mise en page utilisée, le cas échéant.
@@ -70,25 +70,19 @@ abstract class AbstractAdapter implements RendererInterface
     /**
      * {@inheritDoc}
      *
-     * @param array $config Configuration actuelle de l'adapter
-     * @param bool  $debug  Devrions-nous stocker des informations sur les performances ?
+     * @param array       $config   Configuration actuelle de l'adapter
+     * @param string|null $viewPath Dossier principal dans lequel les vues doivent être cherchées
+     * @param bool        $debug    Devrions-nous stocker des informations sur les performances ?
      */
-    public function __construct(protected array $config, $viewPathLocator = null, protected bool $debug = BLITZ_DEBUG)
+    public function __construct(protected array $config, $viewPath = null, protected bool $debug = BLITZ_DEBUG)
     {
         helper('assets');
 
-        if (! empty($viewPathLocator)) {
-            if (is_string($viewPathLocator)) {
-                $this->viewPath = rtrim($viewPathLocator, '\\/ ') . DS;
-            } elseif ($viewPathLocator instanceof LocatorInterface) {
-                $this->locator = $viewPathLocator;
-            }
+        if (is_string($viewPath) && is_dir($viewPath = rtrim($viewPath, '\\/ ') . DS)) {
+            $this->viewPath = $viewPath;
         }
 
-        if (! $this->locator instanceof LocatorInterface && ! is_dir($this->viewPath)) {
-            $this->viewPath = '';
-            $this->locator  = service('locator');
-        }
+        $this->locator = service('locator');
 
         $this->ext = preg_replace('#^\.#', '', $config['extension'] ?? $this->ext);
     }
@@ -264,7 +258,7 @@ protected function getRenderedFile(?array $options, string $view, ?string $ext =
 
         $file = Helpers::ensureExt($file, $ext);
 
-        if (! is_file($file) && $this->locator instanceof LocatorInterface) {
+        if (! is_file($file)) {
             $file = $this->locator->locateFile($view, 'Views', $ext);
         }
 

src/View/Adapters/BladeAdapter.php

@@ -30,9 +30,9 @@ class BladeAdapter extends AbstractAdapter
     /**
      * {@inheritDoc}
      */
-    public function __construct(protected array $config, $viewPathLocator = null, protected bool $debug = BLITZ_DEBUG)
+    public function __construct(protected array $config, $viewPath = null, protected bool $debug = BLITZ_DEBUG)
     {
-        parent::__construct($config, $viewPathLocator, $debug);
+        parent::__construct($config, $viewPath, $debug);
 
         $this->engine = new Blade(
             $this->viewPath ?: VIEW_PATH,

src/View/Adapters/LatteAdapter.php

@@ -31,9 +31,9 @@ class LatteAdapter extends AbstractAdapter
     /**
      * {@inheritDoc}
      */
-    public function __construct(protected array $config, $viewPathLocator = null, protected bool $debug = BLITZ_DEBUG)
+    public function __construct(protected array $config, $viewPath = null, protected bool $debug = BLITZ_DEBUG)
     {
-        parent::__construct($config, $viewPathLocator, $debug);
+        parent::__construct($config, $viewPath, $debug);
 
         $this->latte = new Engine();
 

src/View/Adapters/NativeAdapter.php

@@ -78,9 +78,9 @@ class NativeAdapter extends AbstractAdapter
     /**
      * {@inheritDoc}
      */
-    public function __construct(protected array $config, $viewPathLocator = null, protected bool $debug = BLITZ_DEBUG)
+    public function __construct(protected array $config, $viewPath = null, protected bool $debug = BLITZ_DEBUG)
     {
-        parent::__construct($config, $viewPathLocator, $debug);
+        parent::__construct($config, $viewPath, $debug);
 
         $this->saveData = (bool) ($config['save_data'] ?? true);
     }
@@ -591,7 +591,7 @@ public function required(bool|string $condition): string
     /**
      * Génère un champ input caché à utiliser dans les formulaires générés manuellement.
      */
-    public function csrf(?string $id): string
+    public function csrf(?string $id = null): string
     {
         return csrf_field($id);
     }

src/View/Adapters/PlatesAdapter.php

@@ -31,9 +31,9 @@ class PlatesAdapter extends AbstractAdapter
     /**
      * {@inheritDoc}
      */
-    public function __construct(protected array $config, $viewPathLocator = null, protected bool $debug = BLITZ_DEBUG)
+    public function __construct(protected array $config, $viewPath = null, protected bool $debug = BLITZ_DEBUG)
     {
-        parent::__construct($config, $viewPathLocator, $debug);
+        parent::__construct($config, $viewPath, $debug);
 
         $this->engine = new Engine(rtrim($this->viewPath, '/\\'), $this->ext);
 

src/View/Adapters/SmartyAdapter.php

@@ -30,9 +30,9 @@ class SmartyAdapter extends AbstractAdapter
     /**
      * {@inheritDoc}
      */
-    public function __construct(protected array $config, $viewPathLocator = null, protected bool $debug = BLITZ_DEBUG)
+    public function __construct(protected array $config, $viewPath = null, protected bool $debug = BLITZ_DEBUG)
     {
-        parent::__construct($config, $viewPathLocator, $debug);
+        parent::__construct($config, $viewPath, $debug);
 
         $this->engine = new Smarty();
 

src/View/Adapters/TwigAdapter.php

@@ -33,9 +33,9 @@ class TwigAdapter extends AbstractAdapter
     /**
      * {@inheritDoc}
      */
-    public function __construct(protected array $config, $viewPathLocator = null, protected bool $debug = BLITZ_DEBUG)
+    public function __construct(protected array $config, $viewPath = null, protected bool $debug = BLITZ_DEBUG)
     {
-        parent::__construct($config, $viewPathLocator, $debug);
+        parent::__construct($config, $viewPath, $debug);
 
         $loader = new FilesystemLoader([
             $this->viewPath,