Use random alphabetic string instead hex bytes for session tokens.
This commit is contained in:
parent
3148da4403
commit
d2f0eebfb2
2 changed files with 18 additions and 7 deletions
|
@ -3,6 +3,7 @@ namespace Misuzu\Auth;
|
||||||
|
|
||||||
use InvalidArgumentException;
|
use InvalidArgumentException;
|
||||||
use RuntimeException;
|
use RuntimeException;
|
||||||
|
use Index\XString;
|
||||||
use Index\Data\DbStatementCache;
|
use Index\Data\DbStatementCache;
|
||||||
use Index\Data\DbTools;
|
use Index\Data\DbTools;
|
||||||
use Index\Data\IDbConnection;
|
use Index\Data\IDbConnection;
|
||||||
|
@ -20,9 +21,8 @@ class Sessions {
|
||||||
$this->cache = new DbStatementCache($dbConn);
|
$this->cache = new DbStatementCache($dbConn);
|
||||||
}
|
}
|
||||||
|
|
||||||
// would like to un-hex this but need to make sure AuthToken doesn't have an aneurysm over it
|
|
||||||
public static function generateToken(): string {
|
public static function generateToken(): string {
|
||||||
return bin2hex(random_bytes(32));
|
return XString::random(64);
|
||||||
}
|
}
|
||||||
|
|
||||||
public function countSessions(
|
public function countSessions(
|
||||||
|
|
|
@ -6,6 +6,13 @@ use Index\Serialisation\UriBase64;
|
||||||
use Misuzu\Auth\SessionInfo;
|
use Misuzu\Auth\SessionInfo;
|
||||||
use Misuzu\Users\User;
|
use Misuzu\Users\User;
|
||||||
|
|
||||||
|
/* Map of props
|
||||||
|
* u - User ID
|
||||||
|
* s - Plaintext token string
|
||||||
|
* t - Old hex token string, fallback for s
|
||||||
|
* i - Impersonation User ID
|
||||||
|
*/
|
||||||
|
|
||||||
class AuthToken {
|
class AuthToken {
|
||||||
private const EPOCH = 1682985600;
|
private const EPOCH = 1682985600;
|
||||||
|
|
||||||
|
@ -57,12 +64,16 @@ class AuthToken {
|
||||||
}
|
}
|
||||||
|
|
||||||
public function getSessionToken(): string {
|
public function getSessionToken(): string {
|
||||||
if(!$this->hasProperty('t'))
|
if($this->hasProperty('s'))
|
||||||
return '';
|
return $this->getProperty('s');
|
||||||
return bin2hex($this->getProperty('t'));
|
|
||||||
|
if($this->hasProperty('t'))
|
||||||
|
return bin2hex($this->getProperty('t'));
|
||||||
|
|
||||||
|
return '';
|
||||||
}
|
}
|
||||||
public function setSessionToken(string $token): self {
|
public function setSessionToken(string $token): self {
|
||||||
$this->setProperty('t', hex2bin($token));
|
$this->setProperty('s', $token);
|
||||||
return $this;
|
return $this;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -120,7 +131,7 @@ class AuthToken {
|
||||||
$data = unpack('Nuser/H*token', $data);
|
$data = unpack('Nuser/H*token', $data);
|
||||||
|
|
||||||
$obj->props['u'] = (string)$data['user'];
|
$obj->props['u'] = (string)$data['user'];
|
||||||
$obj->props['t'] = hex2bin($data['token']);
|
$obj->props['s'] = $data['token'];
|
||||||
$obj->updateTimestamp();
|
$obj->updateTimestamp();
|
||||||
} elseif($version === 2) {
|
} elseif($version === 2) {
|
||||||
$timestamp = substr($data, 0, 4);
|
$timestamp = substr($data, 0, 4);
|
||||||
|
|
Loading…
Reference in a new issue