create-prisma-php-app 4.1.3 → 4.2.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/bootstrap.php +90 -113
- package/dist/index.js +1 -1
- package/dist/public/js/pp-reactive-v1.js +1 -1
- package/dist/src/Lib/Auth/Auth.php +37 -27
- package/package.json +1 -1
|
@@ -29,21 +29,12 @@ class Auth
|
|
|
29
29
|
private string $secretKey;
|
|
30
30
|
private string $defaultTokenValidity = '1h'; // Default to 1 hour
|
|
31
31
|
|
|
32
|
-
/**
|
|
33
|
-
* Private constructor to prevent direct instantiation.
|
|
34
|
-
* Use Auth::getInstance() to get the singleton instance.
|
|
35
|
-
*/
|
|
36
32
|
private function __construct()
|
|
37
33
|
{
|
|
38
34
|
$this->secretKey = $_ENV['AUTH_SECRET'] ?? 'CD24eEv4qbsC5LOzqeaWbcr58mBMSvA4Mkii8GjRiHkt';
|
|
39
35
|
self::$cookieName = self::getCookieName();
|
|
40
36
|
}
|
|
41
37
|
|
|
42
|
-
/**
|
|
43
|
-
* Returns the singleton instance of the Auth class.
|
|
44
|
-
*
|
|
45
|
-
* @return Auth The singleton instance.
|
|
46
|
-
*/
|
|
47
38
|
public static function getInstance(): Auth
|
|
48
39
|
{
|
|
49
40
|
if (self::$instance === null) {
|
|
@@ -83,14 +74,14 @@ class Auth
|
|
|
83
74
|
'exp' => $expirationTime,
|
|
84
75
|
];
|
|
85
76
|
|
|
86
|
-
// Set the payload in the session
|
|
87
77
|
$_SESSION[self::PAYLOAD_SESSION_KEY] = $payload;
|
|
88
78
|
|
|
89
|
-
// Encode the JWT
|
|
90
79
|
$jwt = JWT::encode($payload, $this->secretKey, 'HS256');
|
|
91
80
|
|
|
92
81
|
if (!headers_sent()) {
|
|
93
82
|
$this->setCookies($jwt, $expirationTime);
|
|
83
|
+
|
|
84
|
+
$this->rotateCsrfToken();
|
|
94
85
|
}
|
|
95
86
|
|
|
96
87
|
if ($redirect === true) {
|
|
@@ -177,19 +168,12 @@ class Auth
|
|
|
177
168
|
public function verifyToken(?string $jwt): ?object
|
|
178
169
|
{
|
|
179
170
|
try {
|
|
180
|
-
if (!$jwt)
|
|
181
|
-
return null;
|
|
182
|
-
}
|
|
171
|
+
if (!$jwt) return null;
|
|
183
172
|
|
|
184
173
|
$token = JWT::decode($jwt, new Key($this->secretKey, 'HS256'));
|
|
185
174
|
|
|
186
|
-
if (empty($token->{Auth::PAYLOAD_NAME}))
|
|
187
|
-
|
|
188
|
-
}
|
|
189
|
-
|
|
190
|
-
if (isset($token->exp) && time() >= $token->exp) {
|
|
191
|
-
return null;
|
|
192
|
-
}
|
|
175
|
+
if (empty($token->{Auth::PAYLOAD_NAME})) return null;
|
|
176
|
+
if (isset($token->exp) && time() >= $token->exp) return null;
|
|
193
177
|
|
|
194
178
|
return $token;
|
|
195
179
|
} catch (Exception) {
|
|
@@ -221,7 +205,6 @@ class Auth
|
|
|
221
205
|
}
|
|
222
206
|
|
|
223
207
|
$expirationTime = $this->calculateExpirationTime($tokenValidity ?? $this->defaultTokenValidity);
|
|
224
|
-
|
|
225
208
|
$decodedToken->exp = $expirationTime;
|
|
226
209
|
$newJwt = JWT::encode((array)$decodedToken, $this->secretKey, 'HS256');
|
|
227
210
|
|
|
@@ -237,15 +220,40 @@ class Auth
|
|
|
237
220
|
if (!headers_sent()) {
|
|
238
221
|
setcookie(self::$cookieName, $jwt, [
|
|
239
222
|
'expires' => $expirationTime,
|
|
240
|
-
'path' => '/',
|
|
241
|
-
'domain' => '',
|
|
242
|
-
'secure' => true,
|
|
243
|
-
'httponly' => true,
|
|
244
|
-
'samesite' => 'Lax',
|
|
223
|
+
'path' => '/',
|
|
224
|
+
'domain' => '',
|
|
225
|
+
'secure' => true,
|
|
226
|
+
'httponly' => true,
|
|
227
|
+
'samesite' => 'Lax',
|
|
245
228
|
]);
|
|
246
229
|
}
|
|
247
230
|
}
|
|
248
231
|
|
|
232
|
+
public function rotateCsrfToken(): void
|
|
233
|
+
{
|
|
234
|
+
$secret = $_ENV['FUNCTION_CALL_SECRET'] ?? '';
|
|
235
|
+
|
|
236
|
+
if (empty($secret)) {
|
|
237
|
+
return;
|
|
238
|
+
}
|
|
239
|
+
|
|
240
|
+
$nonce = bin2hex(random_bytes(16));
|
|
241
|
+
$signature = hash_hmac('sha256', $nonce, $secret);
|
|
242
|
+
$token = $nonce . '.' . $signature;
|
|
243
|
+
|
|
244
|
+
if (!headers_sent()) {
|
|
245
|
+
setcookie('pp_csrf', $token, [
|
|
246
|
+
'expires' => time() + 3600, // 1 hour validity
|
|
247
|
+
'path' => '/',
|
|
248
|
+
'secure' => true,
|
|
249
|
+
'httponly' => false, // Must be FALSE so client JS can read it
|
|
250
|
+
'samesite' => 'Lax',
|
|
251
|
+
]);
|
|
252
|
+
}
|
|
253
|
+
|
|
254
|
+
$_COOKIE['pp_csrf'] = $token;
|
|
255
|
+
}
|
|
256
|
+
|
|
249
257
|
/**
|
|
250
258
|
* Logs out the user by unsetting the session payload and deleting the authentication cookie.
|
|
251
259
|
* If a redirect URL is provided, the user is redirected to that URL after logging out.
|
|
@@ -269,6 +277,8 @@ class Auth
|
|
|
269
277
|
unset($_SESSION[self::PAYLOAD_SESSION_KEY]);
|
|
270
278
|
}
|
|
271
279
|
|
|
280
|
+
$this->rotateCsrfToken();
|
|
281
|
+
|
|
272
282
|
if ($redirect) {
|
|
273
283
|
Request::redirect($redirect);
|
|
274
284
|
}
|