Dockery/Jump
1
0
Fork 0
mirror of https://github.com/daledavies/jump.git synced 2025-11-06 05:15:51 +01:00
Code Issues Packages Projects Releases Activity

Added CSRF check in weatherdata API

Browse Source
This commit is contained in:
Dale Davies
2022-04-13 16:28:12 +01:00
parent a1b1104b5e
commit ae910173bf
13 changed files with 86 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
Dockerfile
View File

@@ -45,6 +45,7 @@ RUN apk add --no-cache \
php8-json \ php8-json \
php8-opcache \ php8-opcache \
php8-openssl \ php8-openssl \
php8-session \
php8-xml \ php8-xml \
php8-zlib php8-zlib

29
jumpapp/api/weatherdata.php
View File

@@ -12,6 +12,31 @@ require __DIR__ .'/../vendor/autoload.php';
$config = new Jump\Config(); $config = new Jump\Config();
$cache = new Jump\Cache($config); $cache = new Jump\Cache($config);
// Output header here so we can return early with a json response if there is a curl error.
header('Content-Type: application/json; charset=utf-8');
// Initialise a new session using the request object.
$session = new \Nette\Http\Session((new \Nette\Http\RequestFactory)->fromGlobals(), new \Nette\Http\Response);
$session->setName($config->get('sessionname'));
$session->setExpiration($config->get('sessiontimeout'));
// Get a Nette session section for CSRF data.
$csrfsection = $session->getSection('csrf');
// Has a CSRF token been set up for the session yet?
if (!$csrfsection->offsetExists('token')){
http_response_code(401);
die(json_encode(['error' => 'Session not fully set up']));
}
// Check CSRF token saved in session against token provided via request.
$token = isset($_GET['token']) ? $_GET['token'] : false;
if (!$token || !hash_equals($csrfsection->get('token'), $token)) {
http_response_code(401);
die(json_encode(['error' => 'API token is incorrect or missing']));
}
// Start of variables we want to use.
$owmapiurlbase = 'https://api.openweathermap.org/data/2.5/weather'; $owmapiurlbase = 'https://api.openweathermap.org/data/2.5/weather';
$units = $config->parse_bool($config->get('metrictemp')) ? 'metric' : 'imperial'; $units = $config->parse_bool($config->get('metrictemp')) ? 'metric' : 'imperial';
@@ -35,9 +60,6 @@ $url = $owmapiurlbase
.'&lon=' . $latlong[1] .'&lon=' . $latlong[1]
.'&appid=' . $config->get('owmapikey', false); .'&appid=' . $config->get('owmapikey', false);
// Output header here so we can return early with a json response if there is a curl error.
header('Content-Type: application/json; charset=utf-8');
// Use the cache to store/retrieve data, make an md5 hash of latlong so it is not possible // Use the cache to store/retrieve data, make an md5 hash of latlong so it is not possible
// to track location history form the stored cache. // to track location history form the stored cache.
$weatherdata = $cache->load(cachename: 'weatherdata', key: md5(json_encode($latlong)), callback: function() use ($url) { $weatherdata = $cache->load(cachename: 'weatherdata', key: md5(json_encode($latlong)), callback: function() use ($url) {
@@ -56,6 +78,7 @@ $weatherdata = $cache->load(cachename: 'weatherdata', key: md5(json_encode($latl
curl_close($ch); curl_close($ch);
// If we had an error then return the error message and exit, otherwise return the API response. // If we had an error then return the error message and exit, otherwise return the API response.
if (isset($curlerror)) { if (isset($curlerror)) {
http_response_code(400);
die(json_encode(['error' => $curlerror])); die(json_encode(['error' => $curlerror]));
} }
return $response; return $response;

2
jumpapp/assets/js/index.bundle.js
View File

File diff suppressed because one or more lines are too long

8
jumpapp/assets/js/src/classes/Main.js
View File

@@ -8,7 +8,8 @@ export default class Main {
constructor() { constructor() {
this.latlong = []; this.latlong = [];
this.storage = window.localStorage; this.storage = window.localStorage;
this.updatefrequency = 10000; this.clockfrequency = 10000; // 10 seconds.
this.weatherfrequency = 300000; // 5 minutes.
this.timezoneshift = 0; this.timezoneshift = 0;
this.metrictemp = JUMP.metrictemp; this.metrictemp = JUMP.metrictemp;
// Cache some DOM elements that we will access frequently. // Cache some DOM elements that we will access frequently.
@@ -48,6 +49,9 @@ export default class Main {
} }
// Retrieve weather and timezone data from Open Weather Map API. // Retrieve weather and timezone data from Open Weather Map API.
this.weather.fetch_owm_data(this.latlong); this.weather.fetch_owm_data(this.latlong);
setInterval(() => {
this.weather.fetch_owm_data(this.latlong);
}, this.weatherfrequency);
} }
/** /**
@@ -126,7 +130,7 @@ export default class Main {
set_clock() { set_clock() {
this.clock.set_utc_shift(this.timezoneshift); this.clock.set_utc_shift(this.timezoneshift);
this.clock.run(this.updatefrequency); this.clock.run(this.clockfrequency);
} }
} }

6
jumpapp/assets/js/src/classes/Weather.js
View File

@@ -16,16 +16,16 @@ export default class Weather {
fetch_owm_data(latlong) { fetch_owm_data(latlong) {
// If we are provided with a latlong then the user must have cliecked on the location // If we are provided with a latlong then the user must have cliecked on the location
// button at some point, so let's use this in the api url... // button at some point, so let's use this in the api url...
let apiurl = '/api/weatherdata.php'; let apiurl = '/api/weatherdata.php?token=' + JUMP.token;
if (latlong.length) { if (latlong.length) {
apiurl += ('?lat=' + latlong[0] + '&lon=' + latlong[1]); apiurl += ('&lat=' + latlong[0] + '&lon=' + latlong[1]);
} }
// Get some data from the weather api... // Get some data from the weather api...
fetch(apiurl) fetch(apiurl)
.then(response => response.json()) .then(response => response.json())
.then(data => { .then(data => {
if (data.error) { if (data.error) {
console.error('JUMP ERROR: There was a problem contacting the OWM API'); console.error('JUMP ERROR: There was an issue with the OWM API... ' + data.error);
return; return;
} }
if (data.cod === 401) { if (data.cod === 401) {

14
jumpapp/classes/Config.php
View File

@@ -42,9 +42,18 @@ class Config {
'noindex' 'noindex'
]; ];
/**
* Session config params.
*/
private const CONFIG_SESSION = [
'sessionname' => 'JUMP',
'sessiontimeout' => '10 minutes'
];
public function __construct() { public function __construct() {
$this->config = new \PHLAK\Config\Config(__DIR__.'/../config.php'); $this->config = new \PHLAK\Config\Config(__DIR__.'/../config.php');
$this->add_wwwroot_to_base_paths(); $this->add_wwwroot_to_base_paths();
$this->add_session_config();
if ($this->config_params_missing()) { if ($this->config_params_missing()) {
throw new Exception('Config.php must always contain... '.implode(', ', self::CONFIG_PARAMS)); throw new Exception('Config.php must always contain... '.implode(', ', self::CONFIG_PARAMS));
} }
@@ -63,6 +72,11 @@ class Config {
} }
} }
private function add_session_config(): void {
foreach(self::CONFIG_SESSION as $key => $value) {
$this->config->set($key, $value);
}
}
/** /**
* Determine if any configuration params are missing in the list loaded * Determine if any configuration params are missing in the list loaded
* from the config.php. * from the config.php.

24
jumpapp/classes/Main.php
View File

@@ -14,6 +14,8 @@ class Main {
private Cache $cache; private Cache $cache;
private Config $config; private Config $config;
private \Nette\Http\Request $request;
private \Nette\Http\Session $session;
public function __construct() { public function __construct() {
$this->config = new Config(); $this->config = new Config();
@@ -27,10 +29,24 @@ class Main {
} }
function init() { function init() {
// Create a request object based on globals so we can utilise url rewriting etc.
$this->request = (new \Nette\Http\RequestFactory)->fromGlobals();
// Initialise a new session using the request object.
$this->session = new \Nette\Http\Session($this->request, new \Nette\Http\Response);
$this->session->setName($this->config->get('sessionname'));
$this->session->setExpiration($this->config->get('sessiontimeout'));
// Get a Nette session section for CSRF data.
$csrfsection = $this->session->getSection('csrf');
// Create a new CSRF token within the section if one doesn't exist already.
if (!$csrfsection->offsetExists('token')){
$csrfsection->set('token', bin2hex(random_bytes(32)));
}
// Try to match the correct route based on the HTTP request. // Try to match the correct route based on the HTTP request.
$matchedroute = $this->router->match( $matchedroute = $this->router->match($this->request);
(new \Nette\Http\RequestFactory)->fromGlobals()
);
// If we do not have a matched route then just serve up the home page. // If we do not have a matched route then just serve up the home page.
$pageclass = $matchedroute['class'] ?? 'Jump\Pages\HomePage'; $pageclass = $matchedroute['class'] ?? 'Jump\Pages\HomePage';
@@ -38,7 +54,7 @@ class Main {
// Instantiate the correct class to build the requested page, get the // Instantiate the correct class to build the requested page, get the
// content and return it. // content and return it.
$page = new $pageclass($this->config, $this->cache, $param ?? null); $page = new $pageclass($this->config, $this->cache, $this->session, $param ?? null);
return $page->get_output(); return $page->get_output();
} }

7
jumpapp/classes/Pages/AbstractPage.php
View File

@@ -14,7 +14,12 @@ abstract class AbstractPage {
* @param \Jump\Cache $cache * @param \Jump\Cache $cache
* @param string|null $generic param, passed from router. * @param string|null $generic param, passed from router.
*/ */
public function __construct(protected \Jump\Config $config, protected \Jump\Cache $cache, protected ?string $param = null) { public function __construct(
protected \Jump\Config $config,
protected \Jump\Cache $cache,
protected \Nette\Http\Session $session,
protected ?string $param = null
){
$this->hastags = false; $this->hastags = false;
$this->mustache = new \Mustache_Engine([ $this->mustache = new \Mustache_Engine([
'loader' => new \Mustache_Loader_FilesystemLoader($this->config->get('templatedir')), 'loader' => new \Mustache_Loader_FilesystemLoader($this->config->get('templatedir')),

2
jumpapp/classes/Pages/HomePage.php
View File

@@ -10,7 +10,9 @@ class HomePage extends AbstractPage {
if (!$this->config->parse_bool($this->config->get('showgreeting'))) { if (!$this->config->parse_bool($this->config->get('showgreeting'))) {
$greeting = 'home'; $greeting = 'home';
} }
$csrfsection = $this->session->getSection('csrf');
return $template->render([ return $template->render([
'csrftoken' => $csrfsection->get('token'),
'greeting' => $greeting, 'greeting' => $greeting,
'noindex' => $this->config->parse_bool($this->config->get('noindex')), 'noindex' => $this->config->parse_bool($this->config->get('noindex')),
'title' => $this->config->get('sitename'), 'title' => $this->config->get('sitename'),

2
jumpapp/classes/Pages/TagPage.php
View File

@@ -10,7 +10,9 @@ class TagPage extends AbstractPage {
$template = $this->mustache->loadTemplate('header'); $template = $this->mustache->loadTemplate('header');
$greeting = $this->param; $greeting = $this->param;
$title = 'Tag: '.$this->param; $title = 'Tag: '.$this->param;
$csrfsection = $this->session->getSection('csrf');
return $template->render([ return $template->render([
'csrftoken' => $csrfsection->get('token'),
'greeting' => $greeting, 'greeting' => $greeting,
'noindex' => $this->config->parse_bool($this->config->get('noindex')), 'noindex' => $this->config->parse_bool($this->config->get('noindex')),
'title' => $title, 'title' => $title,

3
jumpapp/composer.json
View File

@@ -9,6 +9,7 @@
"arthurhoaro/favicon": "~1.0", "arthurhoaro/favicon": "~1.0",
"nette/caching": "^3.1", "nette/caching": "^3.1",
"nette/routing": "^3.0.2", "nette/routing": "^3.0.2",
"phlak/config": "^7.0" "phlak/config": "^7.0",
"nette/http": "^3.1"
} }
} }

2
jumpapp/composer.lock generated
View File

@@ -4,7 +4,7 @@
"Read more about it at https://getcomposer.org/doc/01-basic-usage.md#composer-lock-the-lock-file", "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#composer-lock-the-lock-file",
"This file is @generated automatically" "This file is @generated automatically"
], ],
"content-hash": "097843a2f00f12e9786893c07a3ae8e3", "content-hash": "860d4eabaa4ccb80ee0f7d501149c83d",
"packages": [ "packages": [
{ {
"name": "arthurhoaro/favicon", "name": "arthurhoaro/favicon",

1
jumpapp/templates/header.mustache
View File

@@ -14,6 +14,7 @@
owmapikey: '{{owmapikey}}', owmapikey: '{{owmapikey}}',
metrictemp: '{{metrictemp}}', metrictemp: '{{metrictemp}}',
ampmclock: '{{ampmclock}}', ampmclock: '{{ampmclock}}',
token: '{{csrftoken}}'
}; };
</script> </script>
</head> </head>