flashii/misuzu
flashii/misuzu
1
1
Fork 0
Code Issues Pull requests Releases 159 Wiki Activity Actions

Use random alphabetic string instead hex bytes for session tokens.

Browse source
This commit is contained in:
flash 2023-07-28 20:13:11 +00:00
parent 3148da4403
commit d2f0eebfb2
2 changed files with 18 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
src/Auth/Sessions.php
View file

@ -3,6 +3,7 @@ namespace Misuzu\Auth;
use InvalidArgumentException; use InvalidArgumentException;
use RuntimeException; use RuntimeException;
use Index\XString;
use Index\Data\DbStatementCache; use Index\Data\DbStatementCache;
use Index\Data\DbTools; use Index\Data\DbTools;
use Index\Data\IDbConnection; use Index\Data\IDbConnection;
@ -20,9 +21,8 @@ class Sessions {
$this->cache = new DbStatementCache($dbConn); $this->cache = new DbStatementCache($dbConn);
} }
// would like to un-hex this but need to make sure AuthToken doesn't have an aneurysm over it
public static function generateToken(): string { public static function generateToken(): string {
return bin2hex(random_bytes(32)); return XString::random(64);
} }
public function countSessions( public function countSessions(

19
src/AuthToken.php
View file

@ -6,6 +6,13 @@ use Index\Serialisation\UriBase64;
use Misuzu\Auth\SessionInfo; use Misuzu\Auth\SessionInfo;
use Misuzu\Users\User; use Misuzu\Users\User;
/* Map of props
* u - User ID
* s - Plaintext token string
* t - Old hex token string, fallback for s
* i - Impersonation User ID
*/
class AuthToken { class AuthToken {
private const EPOCH = 1682985600; private const EPOCH = 1682985600;
@ -57,12 +64,16 @@ class AuthToken {
} }
public function getSessionToken(): string { public function getSessionToken(): string {
if(!$this->hasProperty('t')) if($this->hasProperty('s'))
return ''; return $this->getProperty('s');
if($this->hasProperty('t'))
return bin2hex($this->getProperty('t')); return bin2hex($this->getProperty('t'));
return '';
} }
public function setSessionToken(string $token): self { public function setSessionToken(string $token): self {
$this->setProperty('t', hex2bin($token)); $this->setProperty('s', $token);
return $this; return $this;
} }
@ -120,7 +131,7 @@ class AuthToken {
$data = unpack('Nuser/H*token', $data); $data = unpack('Nuser/H*token', $data);
$obj->props['u'] = (string)$data['user']; $obj->props['u'] = (string)$data['user'];
$obj->props['t'] = hex2bin($data['token']); $obj->props['s'] = $data['token'];
$obj->updateTimestamp(); $obj->updateTimestamp();
} elseif($version === 2) { } elseif($version === 2) {
$timestamp = substr($data, 0, 4); $timestamp = substr($data, 0, 4);