fix csrf token
This commit is contained in:
Focuslinks Digital Solutions
parent
4bc47a8d85
commit
75d6f17eb5
@ -6,83 +6,50 @@
|
||||
**/
|
||||
|
||||
|
||||
class Csrf
|
||||
{
|
||||
private const int TOKEN_LENGTH = 16;
|
||||
private const int TOKEN_EXPIRATION = 1800;
|
||||
class Csrf
|
||||
{
|
||||
private static $tokenExpiration = 1800; // 30 minutes
|
||||
|
||||
/**
|
||||
* Generate a CSRF token.
|
||||
*
|
||||
* @param int $length
|
||||
* @return string
|
||||
*/
|
||||
public static function generateToken(int $length = self::TOKEN_LENGTH): string
|
||||
public static function generateToken($length = 16)
|
||||
{
|
||||
return bin2hex(random_bytes($length));
|
||||
}
|
||||
|
||||
/**
|
||||
* Validate the provided CSRF token against the stored token.
|
||||
*
|
||||
* @param string $token
|
||||
* @param string $storedToken
|
||||
* @return bool
|
||||
*/
|
||||
public static function validateToken(string $token, string $storedToken): bool
|
||||
public static function validateToken($token, $storedToken)
|
||||
{
|
||||
return hash_equals($token, $storedToken);
|
||||
}
|
||||
|
||||
/**
|
||||
* Check if the CSRF token is valid.
|
||||
*
|
||||
* @param string|null $token
|
||||
* @return bool
|
||||
*/
|
||||
public static function check(?string $token): bool
|
||||
public static function check($token)
|
||||
{
|
||||
global $config;
|
||||
if($config['csrf_enabled'] == 'yes') {
|
||||
if (isset($_SESSION['csrf_token'], $_SESSION['csrf_token_time'], $token)) {
|
||||
$storedToken = $_SESSION['csrf_token'];
|
||||
$tokenTime = $_SESSION['csrf_token_time'];
|
||||
|
||||
if ($config['csrf_enabled'] === 'yes') {
|
||||
if (isset($_SESSION['nux_csrf_token'], $_SESSION['nux_csrf_token_time'], $token)) {
|
||||
$storedToken = $_SESSION['nux_csrf_token'];
|
||||
$tokenTime = $_SESSION['nux_csrf_token_time'];
|
||||
|
||||
if (time() - $tokenTime > self::TOKEN_EXPIRATION) {
|
||||
if (time() - $tokenTime > self::$tokenExpiration) {
|
||||
self::clearToken();
|
||||
return false;
|
||||
}
|
||||
|
||||
return self::validateToken($token, $storedToken);
|
||||
}
|
||||
|
||||
return false;
|
||||
}
|
||||
|
||||
return true; // CSRF is disabled
|
||||
return true;
|
||||
}
|
||||
|
||||
/**
|
||||
* Generate and store a new CSRF token in the session.
|
||||
*
|
||||
* @return string
|
||||
*/
|
||||
public static function generateAndStoreToken(): string
|
||||
public static function generateAndStoreToken()
|
||||
{
|
||||
$token = self::generateToken();
|
||||
$_SESSION['nux_csrf_token'] = $token;
|
||||
$_SESSION['nux_csrf_token_time'] = time();
|
||||
$_SESSION['csrf_token'] = $token;
|
||||
$_SESSION['csrf_token_time'] = time();
|
||||
return $token;
|
||||
}
|
||||
|
||||
/**
|
||||
* Clear the stored CSRF token from the session.
|
||||
*
|
||||
* @return void
|
||||
*/
|
||||
public static function clearToken(): void
|
||||
public static function clearToken()
|
||||
{
|
||||
unset($_SESSION['nux_csrf_token'], $_SESSION['nux_csrf_token_time']);
|
||||
}
|
||||
unset($_SESSION['csrf_token'], $_SESSION['csrf_token_time']);
|
||||
}
|
||||
}
|
||||
|
||||
@ -38,7 +38,7 @@ switch ($action) {
|
||||
r2(getUrl('pluginmanager'), 's', 'Refresh success');
|
||||
break;
|
||||
case 'dlinstall':
|
||||
if ($_app_stage == 'demo') {
|
||||
if ($_app_stage == 'Demo') {
|
||||
r2(getUrl('pluginmanager'), 'e', 'Demo Mode cannot install as it Security risk');
|
||||
}
|
||||
if (!is_writeable($CACHE_PATH)) {
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user