Add temp CSRF functions, for reusage.
This commit is contained in:
parent
b26ecb0d68
commit
b5f14a1ef7
4 changed files with 23 additions and 2 deletions
|
|
@ -41,7 +41,7 @@ switch ($mode) {
|
|||
}
|
||||
|
||||
// this is temporary, don't scream at me for using md5
|
||||
if (isset($_GET['s']) && md5($app->getSession()->session_key) === $_GET['s']) {
|
||||
if (isset($_GET['s']) && tmp_csrf_verify($_GET['s'])) {
|
||||
set_cookie_m('uid', '', -3600);
|
||||
set_cookie_m('sid', '', -3600);
|
||||
$app->getSession()->delete();
|
||||
|
|
|
|||
|
|
@ -127,6 +127,7 @@ class Application extends ApplicationBase
|
|||
$twig->addFunction('config', [$this->config, 'get']);
|
||||
$twig->addFunction('git_hash', [Application::class, 'gitCommitHash']);
|
||||
$twig->addFunction('git_branch', [Application::class, 'gitBranch']);
|
||||
$twig->addFunction('csrf_token', 'tmp_csrf_token');
|
||||
|
||||
$twig->var('app', $this);
|
||||
|
||||
|
|
|
|||
20
utility.php
20
utility.php
|
|
@ -130,6 +130,26 @@ function get_country_name(string $code): string
|
|||
}
|
||||
}
|
||||
|
||||
// this is temporary, don't scream at me for using md5
|
||||
// BIG TODO: make these functions not dependent on sessions so they can be used outside of those.
|
||||
function tmp_csrf_verify(string $token, ?\Misuzu\Users\Session $session = null): bool
|
||||
{
|
||||
if ($session === null) {
|
||||
$session = \Misuzu\Application::getInstance()->getSession();
|
||||
}
|
||||
|
||||
return hash_equals(tmp_csrf_token($session), $token);
|
||||
}
|
||||
|
||||
function tmp_csrf_token(?\Misuzu\Users\Session $session = null): string
|
||||
{
|
||||
if ($session === null) {
|
||||
$session = \Misuzu\Application::getInstance()->getSession();
|
||||
}
|
||||
|
||||
return md5($session->session_key);
|
||||
}
|
||||
|
||||
function is_int_ex($value, int $boundary_low, int $boundary_high): bool
|
||||
{
|
||||
return is_int($value) && $value >= $boundary_low && $value <= $boundary_high;
|
||||
|
|
|
|||
|
|
@ -7,7 +7,7 @@
|
|||
<p class="logout__paragraph">Press the button below to verify the logout request, otherwise click back in your browser or close this tab.</p>
|
||||
</div>
|
||||
<div class="logout__buttons">
|
||||
<a href="?m=logout&s={{ app.session.session_key|md5 }}" class="button button--logout">Logout</a>
|
||||
<a href="?m=logout&s={{ csrf_token() }}" class="button button--logout">Logout</a>
|
||||
</div>
|
||||
</div>
|
||||
{% endblock %}
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue