Added CSRF check in weatherdata API

Dockerfile

@@ -45,6 +45,7 @@ RUN apk add --no-cache \
   php8-json \
   php8-opcache \
   php8-openssl \
+  php8-session \
   php8-xml \
   php8-zlib
 

jumpapp/api/weatherdata.php

@@ -12,6 +12,31 @@ require __DIR__ .'/../vendor/autoload.php';
 $config = new Jump\Config();
 $cache = new Jump\Cache($config);
 
+// Output header here so we can return early with a json response if there is a curl error.
+header('Content-Type: application/json; charset=utf-8');
+
+// Initialise a new session using the request object.
+$session = new \Nette\Http\Session((new \Nette\Http\RequestFactory)->fromGlobals(), new \Nette\Http\Response);
+$session->setName($config->get('sessionname'));
+$session->setExpiration($config->get('sessiontimeout'));
+
+// Get a Nette session section for CSRF data.
+$csrfsection = $session->getSection('csrf');
+
+// Has a CSRF token been set up for the session yet?
+if (!$csrfsection->offsetExists('token')){
+    http_response_code(401);
+    die(json_encode(['error' => 'Session not fully set up']));
+}
+
+// Check CSRF token saved in session against token provided via request.
+$token = isset($_GET['token']) ? $_GET['token'] : false;
+if (!$token || !hash_equals($csrfsection->get('token'), $token)) {
+    http_response_code(401);
+    die(json_encode(['error' => 'API token is incorrect or missing']));
+}
+
+// Start of variables  we want to use.
 $owmapiurlbase = 'https://api.openweathermap.org/data/2.5/weather';
 $units = $config->parse_bool($config->get('metrictemp')) ? 'metric' : 'imperial';
 
@@ -35,9 +60,6 @@ $url =  $owmapiurlbase
         .'&lon=' . $latlong[1]
         .'&appid=' . $config->get('owmapikey', false);
 
-// Output header here so we can return early with a json response if there is a curl error.
-header('Content-Type: application/json; charset=utf-8');
-
 // Use the cache to store/retrieve data, make an md5 hash of latlong so it is not possible
 // to track location history form the stored cache.
 $weatherdata = $cache->load(cachename: 'weatherdata', key: md5(json_encode($latlong)), callback: function() use ($url) {
@@ -56,10 +78,11 @@ $weatherdata = $cache->load(cachename: 'weatherdata', key: md5(json_encode($latl
     curl_close($ch);
     // If we had an error then return the error message and exit, otherwise return the API response.
     if (isset($curlerror)) {
+        http_response_code(400);
         die(json_encode(['error' => $curlerror]));
     }
     return $response;
 });
 
 // We made it here so output the API response as json.
-echo $weatherdata;
+echo $weatherdata;

jumpapp/assets/js/src/classes/Main.js

@@ -8,7 +8,8 @@ export default class Main {
     constructor() {
         this.latlong = [];
         this.storage = window.localStorage;
-        this.updatefrequency = 10000;
+        this.clockfrequency = 10000; // 10 seconds.
+        this.weatherfrequency = 300000; // 5 minutes.
         this.timezoneshift = 0;
         this.metrictemp = JUMP.metrictemp;
         // Cache some DOM elements that we will access frequently.
@@ -48,6 +49,9 @@ export default class Main {
         }
         // Retrieve weather and timezone data from Open Weather Map API.
         this.weather.fetch_owm_data(this.latlong);
+        setInterval(() => {
+            this.weather.fetch_owm_data(this.latlong);
+        }, this.weatherfrequency);
     }
 
     /**
@@ -126,7 +130,7 @@ export default class Main {
 
     set_clock() {
         this.clock.set_utc_shift(this.timezoneshift);
-        this.clock.run(this.updatefrequency);
+        this.clock.run(this.clockfrequency);
     }
 
 }

jumpapp/assets/js/src/classes/Weather.js

@@ -16,16 +16,16 @@ export default class Weather {
     fetch_owm_data(latlong) {
         // If we are provided with a latlong then the user must have cliecked on the location
         // button at some point, so let's use this in the api url...
-        let apiurl = '/api/weatherdata.php';
+        let apiurl = '/api/weatherdata.php?token=' + JUMP.token;
         if (latlong.length) {
-            apiurl += ('?lat=' + latlong[0] + '&lon=' + latlong[1]);
+            apiurl += ('&lat=' + latlong[0] + '&lon=' + latlong[1]);
         }
         // Get some data from the weather api...
         fetch(apiurl)
         .then(response => response.json())
         .then(data => {
             if (data.error) {
-                console.error('JUMP ERROR: There was a problem contacting the OWM API');
+                console.error('JUMP ERROR: There was an issue with the OWM API... ' + data.error);
                 return;
             }
             if (data.cod === 401) {

jumpapp/classes/Config.php

@@ -42,9 +42,18 @@ class Config {
         'noindex'
     ];
 
+    /**
+     * Session config params.
+     */
+    private const CONFIG_SESSION = [
+        'sessionname' => 'JUMP',
+        'sessiontimeout' => '10 minutes'
+    ];
+
     public function __construct() {
         $this->config = new \PHLAK\Config\Config(__DIR__.'/../config.php');
         $this->add_wwwroot_to_base_paths();
+        $this->add_session_config();
         if ($this->config_params_missing()) {
             throw new Exception('Config.php must always contain... '.implode(', ', self::CONFIG_PARAMS));
         }
@@ -63,6 +72,11 @@ class Config {
         }
     }
 
+    private function add_session_config(): void {
+        foreach(self::CONFIG_SESSION as $key => $value) {
+            $this->config->set($key, $value);
+        }
+    }
     /**
      * Determine if any configuration params are missing in the list loaded
      * from the config.php.

jumpapp/classes/Main.php

@@ -14,6 +14,8 @@ class Main {
 
     private Cache $cache;
     private Config $config;
+    private \Nette\Http\Request $request;
+    private \Nette\Http\Session $session;
 
     public function __construct() {
         $this->config = new Config();
@@ -27,10 +29,24 @@ class Main {
     }
 
     function init() {
+        // Create a request object based on globals so we can utilise url rewriting etc.
+        $this->request = (new \Nette\Http\RequestFactory)->fromGlobals();
+
+        // Initialise a new session using the request object.
+        $this->session = new \Nette\Http\Session($this->request, new \Nette\Http\Response);
+        $this->session->setName($this->config->get('sessionname'));
+        $this->session->setExpiration($this->config->get('sessiontimeout'));
+
+        // Get a Nette session section for CSRF data.
+        $csrfsection = $this->session->getSection('csrf');
+
+        // Create a new CSRF token within the section if one doesn't exist already.
+        if (!$csrfsection->offsetExists('token')){
+            $csrfsection->set('token', bin2hex(random_bytes(32)));
+        }
+
         // Try to match the correct route based on the HTTP request.
-        $matchedroute = $this->router->match(
-            (new \Nette\Http\RequestFactory)->fromGlobals()
-        );
+        $matchedroute = $this->router->match($this->request);
 
         // If we do not have a matched route then just serve up the home page.
         $pageclass = $matchedroute['class'] ?? 'Jump\Pages\HomePage';
@@ -38,7 +54,7 @@ class Main {
 
         // Instantiate the correct class to build the requested page, get the
         // content and return it.
-        $page = new $pageclass($this->config, $this->cache, $param ?? null);
+        $page = new $pageclass($this->config, $this->cache, $this->session, $param ?? null);
         return $page->get_output();
     }
 

jumpapp/classes/Pages/AbstractPage.php

@@ -14,7 +14,12 @@ abstract class AbstractPage {
      * @param \Jump\Cache $cache
      * @param string|null $generic param, passed from router.
      */
-    public function __construct(protected \Jump\Config $config, protected \Jump\Cache $cache, protected ?string $param = null) {
+    public function __construct(
+        protected \Jump\Config $config,
+        protected \Jump\Cache $cache,
+        protected \Nette\Http\Session $session,
+        protected ?string $param = null
+    ){
         $this->hastags = false;
         $this->mustache = new \Mustache_Engine([
             'loader' => new \Mustache_Loader_FilesystemLoader($this->config->get('templatedir')),

jumpapp/classes/Pages/HomePage.php

@@ -10,7 +10,9 @@ class HomePage extends AbstractPage {
         if (!$this->config->parse_bool($this->config->get('showgreeting'))) {
             $greeting = 'home';
         }
+        $csrfsection = $this->session->getSection('csrf');
         return $template->render([
+            'csrftoken' => $csrfsection->get('token'),
             'greeting' => $greeting,
             'noindex' => $this->config->parse_bool($this->config->get('noindex')),
             'title' => $this->config->get('sitename'),

jumpapp/classes/Pages/TagPage.php

@@ -10,7 +10,9 @@ class TagPage extends AbstractPage {
         $template = $this->mustache->loadTemplate('header');
         $greeting = $this->param;
         $title = 'Tag: '.$this->param;
+        $csrfsection = $this->session->getSection('csrf');
         return $template->render([
+            'csrftoken' => $csrfsection->get('token'),
             'greeting' => $greeting,
             'noindex' => $this->config->parse_bool($this->config->get('noindex')),
             'title' => $title,

jumpapp/composer.json

@@ -9,6 +9,7 @@
         "arthurhoaro/favicon": "~1.0",
         "nette/caching": "^3.1",
         "nette/routing": "^3.0.2",
-        "phlak/config": "^7.0"
+        "phlak/config": "^7.0",
+        "nette/http": "^3.1"
     }
 }

jumpapp/composer.lock

@@ -4,7 +4,7 @@
         "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#composer-lock-the-lock-file",
         "This file is @generated automatically"
     ],
-    "content-hash": "097843a2f00f12e9786893c07a3ae8e3",
+    "content-hash": "860d4eabaa4ccb80ee0f7d501149c83d",
     "packages": [
         {
             "name": "arthurhoaro/favicon",

jumpapp/templates/header.mustache

@@ -14,6 +14,7 @@
                 owmapikey: '{{owmapikey}}',
                 metrictemp: '{{metrictemp}}',
                 ampmclock: '{{ampmclock}}',
+                token: '{{csrftoken}}'
             };
         </script>
     </head>