KevaChat
/
webapp
mirror of https://github.com/kevachat/webapp.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

implement form tokens

main 1.9.1
ghost 5 months ago
parent
6a08ac558a
commit
be100a1420
7 changed files with 158 additions and 8 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 43
      src/Controller/ModuleController.php
  2. 43
      src/Controller/RoomController.php
  3. 76
      src/Controller/UserController.php
  4. 1
      templates/default/module/post.html.twig
  5. 1
      templates/default/module/room.html.twig
  6. 1
      templates/default/user/join.html.twig
  7. 1
      templates/default/user/login.html.twig

43
src/Controller/ModuleController.php
Unescape View File

@ -129,18 +129,28 @@ class ModuleController extends AbstractController
Request $request Request $request
): Response ): Response
{ {
// Connect memcached
$memcached = new \Memcached();
$memcached->addServer(
$this->getParameter('app.memcached.host'),
$this->getParameter('app.memcached.port')
);
// Create token
$token = crc32(
microtime(true) + rand()
);
$memcached->add(
$token,
time()
);
// Check user session exist // Check user session exist
$username = false; $username = false;
if (!empty($request->cookies->get('KEVACHAT_SESSION')) && preg_match('/[A-z0-9]{32}/', $request->cookies->get('KEVACHAT_SESSION'))) if (!empty($request->cookies->get('KEVACHAT_SESSION')) && preg_match('/[A-z0-9]{32}/', $request->cookies->get('KEVACHAT_SESSION')))
{ {
// Connect memcached
$memcached = new \Memcached();
$memcached->addServer(
$this->getParameter('app.memcached.host'),
$this->getParameter('app.memcached.port')
);
// Check username exist for this session // Check username exist for this session
if ($value = $memcached->get($request->cookies->get('KEVACHAT_SESSION'))) if ($value = $memcached->get($request->cookies->get('KEVACHAT_SESSION')))
{ {
@ -203,6 +213,7 @@ class ModuleController extends AbstractController
'error' => $request->get('error'), 'error' => $request->get('error'),
'warning' => $request->get('warning'), 'warning' => $request->get('warning'),
'sign' => $sign, 'sign' => $sign,
'token' => $token,
'message' => $message, 'message' => $message,
'username' => $username, 'username' => $username,
'cost' => $this->getParameter('app.add.post.cost.kva'), 'cost' => $this->getParameter('app.add.post.cost.kva'),
@ -223,10 +234,28 @@ class ModuleController extends AbstractController
Request $request Request $request
): Response ): Response
{ {
// Connect memcached
$memcached = new \Memcached();
$memcached->addServer(
$this->getParameter('app.memcached.host'),
$this->getParameter('app.memcached.port')
);
// Create token
$token = crc32(
microtime(true) + rand()
);
$memcached->add(
$token,
time()
);
return $this->render( return $this->render(
'default/module/room.html.twig', 'default/module/room.html.twig',
[ [
'request' => $request, 'request' => $request,
'token' => $token,
'cost' => $this->getParameter('app.add.room.cost.kva') 'cost' => $this->getParameter('app.add.room.cost.kva')
] ]
); );

43
src/Controller/RoomController.php
Unescape View File

@ -442,6 +442,29 @@ class RoomController extends AbstractController
} }
*/ */
// Validate form token
if ($memcached->get($request->get('token')))
{
$memcached->delete(
$request->get('token')
);
}
else
{
return $this->redirectToRoute(
'room_namespace',
[
'mode' => $request->get('mode'),
'namespace' => $request->get('namespace'),
'message' => $request->get('message'),
'sign' => $request->get('sign'),
'error' => $translator->trans('Session token expired'),
'_fragment' => 'latest'
]
);
}
// Validate access to the room namespace // Validate access to the room namespace
if if
( (
@ -794,6 +817,26 @@ class RoomController extends AbstractController
$request->get('name') $request->get('name')
); );
// Validate form token
if ($memcached->get($request->get('token')))
{
$memcached->delete(
$request->get('token')
);
}
else
{
return $this->redirectToRoute(
'room_list',
[
'mode' => $request->get('mode'),
'name' => $name,
'error' => $translator->trans('Session token expired')
]
);
}
// Validate kevacoin key requirements // Validate kevacoin key requirements
if (mb_strlen($name) < 1 || mb_strlen($name) > 520) if (mb_strlen($name) < 1 || mb_strlen($name) > 520)
{ {

76
src/Controller/UserController.php
Unescape View File

@ -159,6 +159,23 @@ class UserController extends AbstractController
?Request $request ?Request $request
): Response ): Response
{ {
// Connect memcached
$memcached = new \Memcached();
$memcached->addServer(
$this->getParameter('app.memcached.host'),
$this->getParameter('app.memcached.port')
);
// Create token
$token = crc32(
microtime(true) + rand()
);
$memcached->add(
$token,
time()
);
// Check user session does not exist to continue // Check user session does not exist to continue
if (!empty($request->cookies->get('KEVACHAT_SESSION'))) if (!empty($request->cookies->get('KEVACHAT_SESSION')))
{ {
@ -172,6 +189,7 @@ class UserController extends AbstractController
'default/user/join.html.twig', 'default/user/join.html.twig',
[ [
'request' => $request, 'request' => $request,
'token' => $token,
'cost' => $this->getParameter('app.add.user.cost.kva') 'cost' => $this->getParameter('app.add.user.cost.kva')
] ]
); );
@ -189,6 +207,23 @@ class UserController extends AbstractController
?Request $request ?Request $request
): Response ): Response
{ {
// Connect memcached
$memcached = new \Memcached();
$memcached->addServer(
$this->getParameter('app.memcached.host'),
$this->getParameter('app.memcached.port')
);
// Create token
$token = crc32(
microtime(true) + rand()
);
$memcached->add(
$token,
time()
);
// Check user session does not exist to continue // Check user session does not exist to continue
if (!empty($request->cookies->get('KEVACHAT_SESSION'))) if (!empty($request->cookies->get('KEVACHAT_SESSION')))
{ {
@ -201,7 +236,8 @@ class UserController extends AbstractController
return $this->render( return $this->render(
'default/user/login.html.twig', 'default/user/login.html.twig',
[ [
'request' => $request 'request' => $request,
'token' => $token
] ]
); );
} }
@ -298,6 +334,25 @@ class UserController extends AbstractController
), ),
); );
// Validate form token
if ($memcached->get($request->get('token')))
{
$memcached->delete(
$request->get('token')
);
}
else
{
return $this->redirectToRoute(
'user_add',
[
'username' => $request->get('username'),
'error' => $translator->trans('Session token expired')
]
);
}
// Validate remote IP limits // Validate remote IP limits
if ($delay = (int) $memcached->get($memory)) if ($delay = (int) $memcached->get($memory))
{ {
@ -629,6 +684,25 @@ class UserController extends AbstractController
$this->getParameter('app.memcached.port') $this->getParameter('app.memcached.port')
); );
// Validate form token
if ($memcached->get($request->get('token')))
{
$memcached->delete(
$request->get('token')
);
}
else
{
return $this->redirectToRoute(
'user_login',
[
'username' => $request->get('username'),
'error' => $translator->trans('Session token expired')
]
);
}
// Check client connection // Check client connection
if (!$client = $this->_client()) if (!$client = $this->_client())
{ {

1
templates/default/module/post.html.twig
Unescape View File

@ -34,5 +34,6 @@
{% if cost %} {% if cost %}
<span>{{ 'cost: %s KVA' | format(cost) | trans }}</span> <span>{{ 'cost: %s KVA' | format(cost) | trans }}</span>
{% endif %} {% endif %}
<input type="hidden" name="token" value="{{ token }}" />
</form> </form>
{% endif %} {% endif %}

1
templates/default/module/room.html.twig
Unescape View File

@ -10,4 +10,5 @@
{% if cost %} {% if cost %}
<span>{{ 'cost: %s KVA' | format(cost) | trans }}</span> <span>{{ 'cost: %s KVA' | format(cost) | trans }}</span>
{% endif %} {% endif %}
<input type="hidden" name="token" value="{{ token }}" />
</form> </form>

1
templates/default/user/join.html.twig
Unescape View File

@ -19,5 +19,6 @@
{% if cost %} {% if cost %}
<span>{{ 'cost: %s KVA' | format(cost) | trans }}</span> <span>{{ 'cost: %s KVA' | format(cost) | trans }}</span>
{% endif %} {% endif %}
<input type="hidden" name="token" value="{{ token }}" />
</form> </form>
{% endblock %} {% endblock %}

1
templates/default/user/login.html.twig
Unescape View File

@ -11,5 +11,6 @@
<input type="password" name="password" id="password" value="" /> <input type="password" name="password" id="password" value="" />
<a href="{{ path('user_join') }}">{{ 'Create account' | trans }}</a> <a href="{{ path('user_join') }}">{{ 'Create account' | trans }}</a>
<button type="submit">{{ 'login' | trans }}</button> <button type="submit">{{ 'login' | trans }}</button>
<input type="hidden" name="token" value="{{ token }}" />
</form> </form>
{% endblock %} {% endblock %}
Write Preview
Loading…
Cancel
Save