(feat): Sessions and XSRF

Core/Router.php

@@ -48,6 +48,15 @@ class Router
             ->pipe(new Kernel\CorsMiddleware())
             ->pipe(new Kernel\JsonPayloadMiddleware())
             ->pipe(new Kernel\FrameSecurityMiddleware())
+            ->pipe(
+                (new Kernel\SessionMiddleware())
+                    ->setAttributeName('_user')
+            )
+            ->pipe(
+                (new Kernel\OauthMiddleware())
+                    ->setAttributeName('_user')
+            )
+            ->pipe(new Kernel\XsrfCookieMiddleware())
             ->pipe(
                 (new Kernel\RequestHandlerMiddleware())
                     ->setAttributeName('_request-handler')

Core/Router/Middleware/AdminMiddleware.php

@@ -8,6 +8,7 @@ namespace Minds\Core\Router\Middleware;
 
 use Minds\Core\Router\Exceptions\ForbiddenException;
 use Minds\Core\Router\Exceptions\UnauthorizedException;
+use Minds\Core\Security\XSRF;
 use Minds\Entities\User;
 use Psr\Http\Message\ResponseInterface;
 use Psr\Http\Message\ServerRequestInterface;
@@ -16,6 +17,19 @@ use Psr\Http\Server\RequestHandlerInterface;
 
 class AdminMiddleware implements MiddlewareInterface
 {
+    /** @var string */
+    protected $attributeName = '_user';
+
+    /**
+     * @param string $attributeName
+     * @return AdminMiddleware
+     */
+    public function setAttributeName(string $attributeName): AdminMiddleware
+    {
+        $this->attributeName = $attributeName;
+        return $this;
+    }
+
     /**
      * Process an incoming server request.
      *
@@ -30,12 +44,15 @@ class AdminMiddleware implements MiddlewareInterface
      */
     public function process(ServerRequestInterface $request, RequestHandlerInterface $handler): ResponseInterface
     {
-        if (!$request->getAttribute('current-user')) {
+        if (
+            !$request->getAttribute($this->attributeName) ||
+            !XSRF::validateRequest()
+        ) {
             throw new UnauthorizedException();
         }
 
         /** @var User $currentUser */
-        $currentUser = $request->getAttribute('current-user');
+        $currentUser = $request->getAttribute($this->attributeName);
 
         if (!$currentUser->isAdmin()) {
             throw new ForbiddenException();

Core/Router/Middleware/Kernel/OauthMiddleware.php

+<?php
+/**
+ * OauthMiddleware
+ * @author edgebal
+ */
+
+namespace Minds\Core\Router\Middleware\Kernel;
+
+use Minds\Core\Session;
+use Psr\Http\Message\ResponseInterface;
+use Psr\Http\Message\ServerRequestInterface;
+use Psr\Http\Server\MiddlewareInterface;
+use Psr\Http\Server\RequestHandlerInterface;
+use Zend\Diactoros\Response;
+
+class OauthMiddleware implements MiddlewareInterface
+{
+    /** @var string */
+    protected $attributeName = '_user';
+
+    /**
+     * @param string $attributeName
+     * @return OauthMiddleware
+     */
+    public function setAttributeName(string $attributeName): OauthMiddleware
+    {
+        $this->attributeName = $attributeName;
+        return $this;
+    }
+
+    /**
+     * Process an incoming server request.
+     *
+     * Processes an incoming server request in order to produce a response.
+     * If unable to produce the response itself, it may delegate to the provided
+     * request handler to do so.
+     */
+    public function process(ServerRequestInterface $request, RequestHandlerInterface $handler): ResponseInterface
+    {
+        if (!$request->getAttribute($this->attributeName)) {
+            Session::withRouterRequest($request, new Response());
+
+            return $handler->handle(
+                $request
+                    ->withAttribute($this->attributeName, Session::getLoggedinUser() ?: null)
+            );
+        }
+
+        return $handler
+            ->handle($request);
+    }
+}

Core/Router/Middleware/Kernel/SessionMiddleware.php

+<?php
+/**
+ * SessionMiddleware
+ * @author edgebal
+ */
+
+namespace Minds\Core\Router\Middleware\Kernel;
+
+use Minds\Core\Di\Di;
+use Minds\Core\Session;
+use Minds\Core\Sessions\Manager;
+use Psr\Http\Message\ResponseInterface;
+use Psr\Http\Message\ServerRequestInterface;
+use Psr\Http\Server\MiddlewareInterface;
+use Psr\Http\Server\RequestHandlerInterface;
+
+class SessionMiddleware implements MiddlewareInterface
+{
+    /** @var Manager */
+    protected $session;
+
+    /** @var string */
+    protected $attributeName = '_user';
+
+    /**
+     * SessionMiddleware constructor.
+     * @param Manager $session
+     */
+    public function __construct(
+        $session = null
+    )
+    {
+        $this->session = $session ?: Di::_()->get('Sessions\Manager');
+    }
+
+    /**
+     * @param string $attributeName
+     * @return SessionMiddleware
+     */
+    public function setAttributeName(string $attributeName): SessionMiddleware
+    {
+        $this->attributeName = $attributeName;
+        return $this;
+    }
+
+    /**
+     * Process an incoming server request.
+     *
+     * Processes an incoming server request in order to produce a response.
+     * If unable to produce the response itself, it may delegate to the provided
+     * request handler to do so.
+     * @param ServerRequestInterface $request
+     * @param RequestHandlerInterface $handler
+     * @return ResponseInterface
+     */
+    public function process(ServerRequestInterface $request, RequestHandlerInterface $handler): ResponseInterface
+    {
+        if (!$request->getAttribute($this->attributeName)) {
+            $this->session
+                ->withRouterRequest($request);
+
+            return $handler->handle(
+                $request
+                    ->withAttribute($this->attributeName, Session::getLoggedinUser() ?: null)
+            );
+        }
+
+        return $handler
+            ->handle($request);
+    }
+}

Core/Router/Middleware/Kernel/XsrfCookieMiddleware.php

+<?php
+/**
+ * XsrfCookieMiddleware
+ * @author edgebal
+ */
+
+namespace Minds\Core\Router\Middleware\Kernel;
+
+use Minds\Core\Security\XSRF;
+use Psr\Http\Message\ResponseInterface;
+use Psr\Http\Message\ServerRequestInterface;
+use Psr\Http\Server\MiddlewareInterface;
+use Psr\Http\Server\RequestHandlerInterface;
+
+class XsrfCookieMiddleware implements MiddlewareInterface
+{
+    /**
+     * Process an incoming server request.
+     *
+     * Processes an incoming server request in order to produce a response.
+     * If unable to produce the response itself, it may delegate to the provided
+     * request handler to do so.
+     * @param ServerRequestInterface $request
+     * @param RequestHandlerInterface $handler
+     * @return ResponseInterface
+     */
+    public function process(ServerRequestInterface $request, RequestHandlerInterface $handler): ResponseInterface
+    {
+        XSRF::setCookie();
+
+        return $handler
+            ->handle($request);
+    }
+}

Core/Router/Middleware/LoggedInMiddleware.php

@@ -7,6 +7,7 @@
 namespace Minds\Core\Router\Middleware;
 
 use Minds\Core\Router\Exceptions\UnauthorizedException;
+use Minds\Core\Security\XSRF;
 use Psr\Http\Message\ResponseInterface;
 use Psr\Http\Message\ServerRequestInterface;
 use Psr\Http\Server\MiddlewareInterface;
@@ -14,6 +15,19 @@ use Psr\Http\Server\RequestHandlerInterface;
 
 class LoggedInMiddleware implements MiddlewareInterface
 {
+    /** @var string */
+    protected $attributeName = '_user';
+
+    /**
+     * @param string $attributeName
+     * @return LoggedInMiddleware
+     */
+    public function setAttributeName(string $attributeName): LoggedInMiddleware
+    {
+        $this->attributeName = $attributeName;
+        return $this;
+    }
+
     /**
      * Process an incoming server request.
      *
@@ -27,7 +41,10 @@ class LoggedInMiddleware implements MiddlewareInterface
      */
     public function process(ServerRequestInterface $request, RequestHandlerInterface $handler): ResponseInterface
     {
-        if (!$request->getAttribute('current-user')) {
+        if (
+            !$request->getAttribute($this->attributeName) ||
+            !XSRF::validateRequest()
+        ) {
             throw new UnauthorizedException();
         }