github-mirror/framework
github-mirror/framework
2
0
Fork 0
mirror of https://github.com/flarum/framework.git synced 2025-02-21 08:22:41 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

Added CSRF Extender (#2095)

Browse Source
This commit is contained in:
Alexander Skvortsov 2020-04-03 15:32:18 -04:00 committed by GitHub
parent ecdd7a2b49
commit 0d57820b50
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
6 changed files with 193 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
src/Extend/Csrf.php Normal file
View File

@ -0,0 +1,32 @@
<?php
/*
* This file is part of Flarum.
*
* For detailed copyright and license information, please view the
* LICENSE file that was distributed with this source code.
*/
namespace Flarum\Extend;
use Flarum\Extension\Extension;
use Illuminate\Contracts\Container\Container;
class Csrf implements ExtenderInterface
{
protected $csrfExemptPaths = [];
public function exemptPath(string $path)
{
$this->csrfExemptPaths[] = $path;
return $this;
}
public function extend(Container $container, Extension $extension = null)
{
$container->extend('flarum.http.csrfExemptPaths', function ($existingExemptPaths) {
return array_merge($existingExemptPaths, $this->csrfExemptPaths);
});
}
}

2
src/Foundation/InstalledSite.php
View File

@ -21,6 +21,7 @@ use Flarum\Formatter\FormatterServiceProvider;
use Flarum\Forum\ForumServiceProvider;
use Flarum\Frontend\FrontendServiceProvider;
use Flarum\Group\GroupServiceProvider;
use Flarum\Http\HttpServiceProvider;
use Flarum\Locale\LocaleServiceProvider;
use Flarum\Mail\MailServiceProvider;
use Flarum\Notification\NotificationServiceProvider;
@ -125,6 +126,7 @@ class InstalledSite implements SiteInterface
$laravel->register(FrontendServiceProvider::class);
$laravel->register(GroupServiceProvider::class);
$laravel->register(HashServiceProvider::class);
$laravel->register(HttpServiceProvider::class);
$laravel->register(LocaleServiceProvider::class);
$laravel->register(MailServiceProvider::class);
$laravel->register(MigrationServiceProvider::class);

29
src/Http/HttpServiceProvider.php Normal file
View File

@ -0,0 +1,29 @@
<?php
/*
* This file is part of Flarum.
*
* For detailed copyright and license information, please view the
* LICENSE file that was distributed with this source code.
*/
namespace Flarum\Http;
use Flarum\Foundation\AbstractServiceProvider;
class HttpServiceProvider extends AbstractServiceProvider
{
/**
* {@inheritdoc}
*/
public function register()
{
$this->app->singleton('flarum.http.csrfExemptPaths', function () {
return ['/api/token'];
});
$this->app->bind(Middleware\CheckCsrfToken::class, function ($app) {
return new Middleware\CheckCsrfToken($app->make('flarum.http.csrfExemptPaths'));
});
}
}

14
src/Http/Middleware/CheckCsrfToken.php
View File

@ -17,8 +17,22 @@ use Psr\Http\Server\RequestHandlerInterface as Handler;
class CheckCsrfToken implements Middleware
{
protected $exemptRoutes;
public function __construct(array $exemptRoutes)
{
$this->exemptRoutes = $exemptRoutes;
}
public function process(Request $request, Handler $handler): Response
{
$path = $request->getAttribute('originalUri')->getPath();
foreach ($this->exemptRoutes as $exemptRoute) {
if (fnmatch($exemptRoute, $path)) {
return $handler->handle($request);
}
}
if (in_array($request->getMethod(), ['GET', 'HEAD', 'OPTIONS'])) {
return $handler->handle($request);
}

4
tests/integration/api/authentication/WithTokenTest.php
View File

@ -43,7 +43,7 @@ class WithTokenTest extends TestCase
'password' => 'too-obscure'
],
]
)->withAttribute('bypassCsrfToken', true)
)
);
$this->assertEquals(200, $response->getStatusCode());
@ -75,7 +75,7 @@ class WithTokenTest extends TestCase
'password' => 'too-incorrect'
],
]
)->withAttribute('bypassCsrfToken', true)
)
);
// HTTP 401 signals an authentication problem

114
tests/integration/extenders/CsrfTest.php Normal file
View File

@ -0,0 +1,114 @@
<?php
/*
* This file is part of Flarum.
*
* For detailed copyright and license information, please view the
* LICENSE file that was distributed with this source code.
*/
namespace Flarum\Tests\integration\extenders;
use Flarum\Extend;
use Flarum\Tests\integration\TestCase;
use Flarum\User\User;
class CsrfTest extends TestCase
{
protected $testUser = [
'username' => 'test',
'password' => 'too-obscure',
'email' => 'test@machine.local',
];
protected function prepDb()
{
$this->prepareDatabase([
'users' => [],
]);
}
/**
* @test
*/
public function create_user_post_needs_csrf_token_by_default()
{
$this->prepDb();
$response = $this->send(
$this->request('POST', '/api/users', [
'json' => [
'data' => [
'attributes' => $this->testUser
]
],
])
);
$this->assertEquals(400, $response->getStatusCode());
}
/**
* @test
*/
public function create_user_post_doesnt_need_csrf_token_if_whitelisted()
{
$this->extend(
(new Extend\Csrf)
->exemptPath('/api/users')
);
$this->prepDb();
$response = $this->send(
$this->request('POST', '/api/users', [
'json' => [
'data' => [
'attributes' => $this->testUser
]
],
])
);
$this->assertEquals(201, $response->getStatusCode());
$user = User::where('username', $this->testUser['username'])->firstOrFail();
$this->assertEquals(0, $user->is_email_confirmed);
$this->assertEquals($this->testUser['username'], $user->username);
$this->assertEquals($this->testUser['email'], $user->email);
}
/**
* @test
*/
public function post_to_unknown_route_will_cause_400_error_without_csrf_override()
{
$this->prepDb();
$response = $this->send(
$this->request('POST', '/api/fake/route/i/made/up')
);
$this->assertEquals(400, $response->getStatusCode());
}
/**
* @test
*/
public function csrf_matches_wildcards_properly()
{
$this->extend(
(new Extend\Csrf)
->exemptPath('/api/fake/*/up')
);
$this->prepDb();
$response = $this->send(
$this->request('POST', '/api/fake/route/i/made/up')
);
$this->assertEquals(404, $response->getStatusCode());
}
}