zozlak / auth / #17

Committed 28 Oct 2024 11:35AM UTC coverage: 32.687%. Remained the same

Build # #17

Build Type

push

php-coveralls

Committed by

zozlak

Commit Message

HttpBasic, HttpDigest: fix the Refresh HTTP header format

Run Details

1 of 2 new or added lines in 2 files covered. (50.0%)

118 of 361 relevant lines covered (32.69%)

1.25 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

0.0

/src/zozlak/auth/authMethod/HttpDigest.php

<?php

/*
 * The MIT License
 *
 * Copyright 2018 zozlak.
 *
 * Permission is hereby granted, free of charge, to any person obtaining a copy
 * of this software and associated documentation files (the "Software"), to deal
 * in the Software without restriction, including without limitation the rights
 * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 * copies of the Software, and to permit persons to whom the Software is
 * furnished to do so, subject to the following conditions:
 *
 * The above copyright notice and this permission notice shall be included in
 * all copies or substantial portions of the Software.
 *
 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
 * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
 * THE SOFTWARE.
 */

namespace zozlak\auth\authMethod;

use stdClass;
use GuzzleHttp\Psr7\Response;
use zozlak\auth\usersDb\UsersDbInterface;
use zozlak\auth\usersDb\UserUnknownException;
use zozlak\auth\UnauthorizedException;

/**
 * Description of HttpDigest
 *
 * @author zozlak
 */
class HttpDigest implements AuthMethodInterface {

    static private function getHa1(string $realm, string $user, string $pswd): string {
        return md5($user . ':' . $realm . ':' . $pswd);
    }

    static public function pswdData(string $realm, string $user, string $pswd): object {
        return (object) ['ha1' => self::getHa1($realm, $user, $pswd)];
    }

    private string $realm;
    private string $user;

    public function __construct(string $realm) {
        $this->realm = $realm;
    }

    public function authenticate(UsersDbInterface $db, bool $strict): bool {
        $reqData = $this->getRequestData();
        if ($reqData === null) {
            return false;
        }
        try {
            $data = $db->getUser($reqData['username']);
            if (strlen($data->ha1 ?? '') === 0) {
                return false;
            }
            $ha2       = md5(($_SERVER['REQUEST_METHOD'] ?? '') . ':' . $reqData['uri']);
            $nonce     = $reqData['nonce'] . ':' . $reqData['nc'] . ':' . $reqData['cnonce'] . ':' . $reqData['qop'];
            $validResp = md5($data->ha1 . ':' . $nonce . ':' . $ha2);
            if ($reqData['response'] === $validResp) {
                $this->user = $reqData['username'];
                return true;
            }
        } catch (UserUnknownException $ex) {
            
        }
        if ($strict) {
            throw new UnauthorizedException();
        }
        return false;
    }

    public function logout(UsersDbInterface $db, string $redirectUrl = ''): Response | null {
        if (!isset($_SERVER['PHP_AUTH_DIGEST'])) {
            return null;
        }
        $headers = [];
        if (!empty($redirectUrl)) {
            $headers['Refresh'] = '0; url=' . $redirectUrl;
        }
        return new Response(401, $headers);
    }

    public function getUserData(): object {
        return new stdClass();
    }

    public function getUserName(): string {
        return $this->user;
    }

    public function advertise(bool $onFailure): Response | null {
        if ($this->getRequestData() === null || $onFailure) {
            $headers                     = [];
            $headers['WWW-Authenticate'] = 'Digest realm="' . $this->realm . '",qop="auth",nonce="' . bin2hex(random_bytes(16)) . '",opaque="' . md5($this->realm) . '"';
            return new Response(401, $headers);
        }
        return null;
    }

    /**
     * 
     * @return array<mixed>|null
     */
    private function getRequestData(): ?array {

        $parts = [
            'nonce'    => 1,
            'nc'       => 1,
            'cnonce'   => 1,
            'qop'      => 1,
            'username' => 1,
            'uri'      => 1,
            'response' => 1
        ];
        $keys  = implode('|', array_keys($parts));

        $raw = $this->getDigestHeader();
        if (!empty($raw)) {
            $matches = null;
            preg_match_all('@(' . $keys . ')=(?:([\'"])([^\2]+?)\2|([^\s,]+))@', $raw, $matches, PREG_SET_ORDER);
        }

        $data = [];
        foreach ($matches ?? [] as $m) {
            $data[$m[1]] = $m[3] ? $m[3] : $m[4];
            unset($parts[$m[1]]);
        }

        return count($parts) > 0 ? null : $data;
    }

    private function getDigestHeader(): string {
        $header = $_SERVER['HTTP_AUTHORIZATION'] ?? ($_SERVER['AUTHORIZATION'] ?? '');
        if (strtolower(substr($header, 0, 8)) === 'digest ') {
            return substr($header, 8);
        }
        return '';
    }
}

1	<?php
2
3	/*
4	* The MIT License
5	*
6	* Copyright 2018 zozlak.
7	*
8	* Permission is hereby granted, free of charge, to any person obtaining a copy
9	* of this software and associated documentation files (the "Software"), to deal
10	* in the Software without restriction, including without limitation the rights
11	* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
12	* copies of the Software, and to permit persons to whom the Software is
13	* furnished to do so, subject to the following conditions:
14	*
15	* The above copyright notice and this permission notice shall be included in
16	* all copies or substantial portions of the Software.
17	*
18	* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
19	* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
20	* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
21	* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
22	* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
23	* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
24	* THE SOFTWARE.
25	*/
26
27	namespace zozlak\auth\authMethod;
28
29	use stdClass;
30	use GuzzleHttp\Psr7\Response;
31	use zozlak\auth\usersDb\UsersDbInterface;
32	use zozlak\auth\usersDb\UserUnknownException;
33	use zozlak\auth\UnauthorizedException;
34
35	/**
36	* Description of HttpDigest
37	*
38	* @author zozlak
39	*/
40	class HttpDigest implements AuthMethodInterface {
41
42	static private function getHa1(string $realm, string $user, string $pswd): string {
43	return md5($user . ':' . $realm . ':' . $pswd);	×
44	}
45
46	static public function pswdData(string $realm, string $user, string $pswd): object {
47	return (object) ['ha1' => self::getHa1($realm, $user, $pswd)];	×
48	}
49
50	private string $realm;
51	private string $user;
52
53	public function __construct(string $realm) {
54	$this->realm = $realm;	×
55	}
56
57	public function authenticate(UsersDbInterface $db, bool $strict): bool {
58	$reqData = $this->getRequestData();	×
59	if ($reqData === null) {	×
60	return false;	×
61	}
62	try {
63	$data = $db->getUser($reqData['username']);	×
64	if (strlen($data->ha1 ?? '') === 0) {	×
65	return false;	×
66	}
67	$ha2 = md5(($_SERVER['REQUEST_METHOD'] ?? '') . ':' . $reqData['uri']);	×
68	$nonce = $reqData['nonce'] . ':' . $reqData['nc'] . ':' . $reqData['cnonce'] . ':' . $reqData['qop'];	×
69	$validResp = md5($data->ha1 . ':' . $nonce . ':' . $ha2);	×
70	if ($reqData['response'] === $validResp) {	×
71	$this->user = $reqData['username'];	×
72	return true;	×
73	}
74	} catch (UserUnknownException $ex) {	×
75
76	}
77	if ($strict) {	×
78	throw new UnauthorizedException();	×
79	}
80	return false;	×
81	}
82
83	public function logout(UsersDbInterface $db, string $redirectUrl = ''): Response \| null {
84	if (!isset($_SERVER['PHP_AUTH_DIGEST'])) {	×
85	return null;	×
86	}
87	$headers = [];	×
88	if (!empty($redirectUrl)) {	×
NEW 89	$headers['Refresh'] = '0; url=' . $redirectUrl;	×
90	}
91	return new Response(401, $headers);	×
92	}
93
94	public function getUserData(): object {
95	return new stdClass();	×
96	}
97
98	public function getUserName(): string {
99	return $this->user;	×
100	}
101
102	public function advertise(bool $onFailure): Response \| null {
103	if ($this->getRequestData() === null \|\| $onFailure) {	×
104	$headers = [];	×
105	$headers['WWW-Authenticate'] = 'Digest realm="' . $this->realm . '",qop="auth",nonce="' . bin2hex(random_bytes(16)) . '",opaque="' . md5($this->realm) . '"';	×
106	return new Response(401, $headers);	×
107	}
108	return null;	×
109	}
110
111	/**
112	*
113	* @return array<mixed>\|null
114	*/
115	private function getRequestData(): ?array {
116
117	$parts = [	×
118	'nonce' => 1,	×
119	'nc' => 1,	×
120	'cnonce' => 1,	×
121	'qop' => 1,	×
122	'username' => 1,	×
123	'uri' => 1,	×
124	'response' => 1	×
125	];	×
126	$keys = implode('\|', array_keys($parts));	×
127
128	$raw = $this->getDigestHeader();	×
129	if (!empty($raw)) {	×
130	$matches = null;	×
131	preg_match_all('@(' . $keys . ')=(?:([\'"])([^\2]+?)\2\|([^\s,]+))@', $raw, $matches, PREG_SET_ORDER);	×
132	}
133
134	$data = [];	×
135	foreach ($matches ?? [] as $m) {	×
136	$data[$m[1]] = $m[3] ? $m[3] : $m[4];	×
137	unset($parts[$m[1]]);	×
138	}
139
140	return count($parts) > 0 ? null : $data;	×
141	}
142
143	private function getDigestHeader(): string {
144	$header = $_SERVER['HTTP_AUTHORIZATION'] ?? ($_SERVER['AUTHORIZATION'] ?? '');	×
145	if (strtolower(substr($header, 0, 8)) === 'digest ') {	×
146	return substr($header, 8);	×
147	}
148	return '';	×
149	}
150	}

zozlak / auth / #17

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous