Use random alphabetic string instead hex bytes for session tokens.
This commit is contained in:
parent
3148da4403
commit
d2f0eebfb2
2 changed files with 18 additions and 7 deletions
|
@ -3,6 +3,7 @@ namespace Misuzu\Auth;
|
|||
|
||||
use InvalidArgumentException;
|
||||
use RuntimeException;
|
||||
use Index\XString;
|
||||
use Index\Data\DbStatementCache;
|
||||
use Index\Data\DbTools;
|
||||
use Index\Data\IDbConnection;
|
||||
|
@ -20,9 +21,8 @@ class Sessions {
|
|||
$this->cache = new DbStatementCache($dbConn);
|
||||
}
|
||||
|
||||
// would like to un-hex this but need to make sure AuthToken doesn't have an aneurysm over it
|
||||
public static function generateToken(): string {
|
||||
return bin2hex(random_bytes(32));
|
||||
return XString::random(64);
|
||||
}
|
||||
|
||||
public function countSessions(
|
||||
|
|
|
@ -6,6 +6,13 @@ use Index\Serialisation\UriBase64;
|
|||
use Misuzu\Auth\SessionInfo;
|
||||
use Misuzu\Users\User;
|
||||
|
||||
/* Map of props
|
||||
* u - User ID
|
||||
* s - Plaintext token string
|
||||
* t - Old hex token string, fallback for s
|
||||
* i - Impersonation User ID
|
||||
*/
|
||||
|
||||
class AuthToken {
|
||||
private const EPOCH = 1682985600;
|
||||
|
||||
|
@ -57,12 +64,16 @@ class AuthToken {
|
|||
}
|
||||
|
||||
public function getSessionToken(): string {
|
||||
if(!$this->hasProperty('t'))
|
||||
return '';
|
||||
return bin2hex($this->getProperty('t'));
|
||||
if($this->hasProperty('s'))
|
||||
return $this->getProperty('s');
|
||||
|
||||
if($this->hasProperty('t'))
|
||||
return bin2hex($this->getProperty('t'));
|
||||
|
||||
return '';
|
||||
}
|
||||
public function setSessionToken(string $token): self {
|
||||
$this->setProperty('t', hex2bin($token));
|
||||
$this->setProperty('s', $token);
|
||||
return $this;
|
||||
}
|
||||
|
||||
|
@ -120,7 +131,7 @@ class AuthToken {
|
|||
$data = unpack('Nuser/H*token', $data);
|
||||
|
||||
$obj->props['u'] = (string)$data['user'];
|
||||
$obj->props['t'] = hex2bin($data['token']);
|
||||
$obj->props['s'] = $data['token'];
|
||||
$obj->updateTimestamp();
|
||||
} elseif($version === 2) {
|
||||
$timestamp = substr($data, 0, 4);
|
||||
|
|
Loading…
Reference in a new issue