Muuta Authenticator->getIdentity palautamaan null, mikäli tilin sta…

…tus ei ole `STATUS_ACTIVATED`. Lisää <u> SafeHTMLValidatorin hyväksyttäviin ole- tustageihin. Rejektoi json POST/PUT-pyynnöt joiden parsattu body ei ole o- lio.
ut4 · Nov 16, 2020 · 987df62 · 987df62
1 parent b3f244b
commit 987df62
Show file tree

Hide file tree

Showing 5 changed files with 46 additions and 9 deletions.
diff --git a/src/Auth/Internal/RememberMe.php b/src/Auth/Internal/RememberMe.php
@@ -4,7 +4,7 @@
 
 namespace Pike\Auth\Internal;
 
-use Pike\Auth\Crypto;
+use Pike\Auth\{Authenticator, Crypto};
 use Pike\Entities\User;
 use Pike\Interfaces\UserRepositoryInterface;
 
@@ -39,11 +39,13 @@ public function getLogin(): ?string {
         // @allow \Pike\PikeException
         $user = $this->persistence->getUserByColumn('loginId', $loginIdToken);
         if (!$user || !$user->loginIdValidatorHash) return null;
-        if (hash_equals($user->loginIdValidatorHash,
+        //
+        if ($user->accountStatus === Authenticator::ACCOUNT_STATUS_ACTIVATED &&
+            hash_equals($user->loginIdValidatorHash,
                         $this->crypto->hash('sha256', $loginIdValidatorToken)))
             return $user->loginData;
-        else
-            $this->clearPersistentLoginData($user->id);
+        //
+        $this->clearPersistentLoginData($user->id);
         return null;
     }
     /**
@@ -67,7 +69,7 @@ public function putLogin(string $userId, string $serializedSessionData): void {
     /**
      */
     public function clearLogin(): void {
-        [$loginIdToken, $loginIdValidatorToken] = $this->getAndParseCookie();
+        [$loginIdToken, $_loginIdValidatorToken] = $this->getAndParseCookie();
         if (!$loginIdToken)
             return;
         // @allow \Pike\PikeException

diff --git a/src/Extensions/Validation/SafeHTMLValidator.php b/src/Extensions/Validation/SafeHTMLValidator.php
@@ -4,7 +4,7 @@
 
 namespace Pike\Extensions\Validation;
 
-use Masterminds\{HTML5};
+use Masterminds\HTML5;
 use Masterminds\HTML5\Parser\{DOMTreeBuilder, Scanner, Tokenizer};
 
 abstract class SafeHTMLValidator {
@@ -43,6 +43,7 @@ abstract class SafeHTMLValidator {
         'th' => 'th',
         'thead' => 'thead',
         'tr' => 'tr',
+        'u' => 'u',
         'ul' => 'ul',
     ];
     public const DEFAULT_ALLOWED_ATTRIBUTES = [

diff --git a/src/Request.php b/src/Request.php
@@ -102,8 +102,14 @@ public static function createFromGlobals(?string $fullUrl = null,
             if (strpos($_SERVER['CONTENT_TYPE'] ?? '', 'application/json') === 0) {
                 if (!($json = file_get_contents('php://input')))
                     $body = new \stdClass;
-                elseif (($body = json_decode($json)) === null)
-                    throw new PikeException('Invalid json input', PikeException::BAD_INPUT);
+                else {
+                    if (($body = json_decode($json)) === null)
+                        throw new PikeException('Invalid json input',
+                                                PikeException::BAD_INPUT);
+                    elseif (!($body instanceof \stdClass))
+                        throw new PikeException('Input json must be an object',
+                                                PikeException::BAD_INPUT);
+                }
             } else {
                 $body = (object) $_POST;
                 $files = (object) $_FILES;

diff --git a/tests/Auth/AuthenticatorGetIdentityTest.php b/tests/Auth/AuthenticatorGetIdentityTest.php
@@ -2,6 +2,7 @@
 
 namespace Pike\Tests\Auth;
 
+use Pike\Auth\Authenticator;
 use Pike\Auth\Interfaces\CookieStorageInterface;
 use Pike\Interfaces\SessionInterface;
 use Pike\TestUtils\MockCrypto;
@@ -96,4 +97,31 @@ private function verifyStoredLoginDataToSession(\stdClass $state): void {
         $this->assertEquals($state->sessionData,
                             $state->actualDataPutToSession);
     }
+
+
+    ////////////////////////////////////////////////////////////////////////////
+
+
+    public function testGetIdentityWithRememberMeOnDoesNotRetrieveIdentityIfAccountIsBanned(): void {
+        $state = $this->setupRememberBannedUserTest();
+        $this->insertTestUserToDb($state->testUserData);
+        $this->invokeGetIdentityFeature($state);
+        $this->verifyDidNotReturIdentity($state);
+        $this->verifyClearedLoginDataFromDb($state);
+    }
+    private function setupRememberBannedUserTest(): \stdClass {
+        $state = $this->setupRememberMeTest();
+        $state->testUserData['accountStatus'] = Authenticator::ACCOUNT_STATUS_BANNED;
+        return $state;
+    }
+    private function verifyDidNotReturIdentity(\stdClass $state): void {
+        $this->assertNull($state->actualIdentity);
+    }
+    private function verifyClearedLoginDataFromDb(\stdClass $state): void {
+        $data = $this->getTestUserFromDb(self::TEST_USER['id']);
+        $this->assertNotNull($data);
+        $this->assertNull($data->loginId);
+        $this->assertNull($data->loginIdValidatorHash);
+        $this->assertNull($data->loginData);
+    }
 }
diff --git a/tests/Auth/AuthenticatorTestCase.php b/tests/Auth/AuthenticatorTestCase.php
@@ -54,7 +54,7 @@ function ($_factory) use ($mockCookieStorage) {
         );
     }
     /**
-     * @param array $data = []
+     * @param array<string, mixed> $data = []
      */
     protected function insertTestUserToDb(array $data = []): void {
         [$qList, $values, $columns] = self::$db->makeInsertQParts(array_merge(self::TEST_USER, $data));