From 987df625e274331c8c77d2123db342ba5cc5acc5 Mon Sep 17 00:00:00 2001 From: ut4 Date: Sun, 15 Nov 2020 08:53:18 +0200 Subject: [PATCH] =?UTF-8?q?Muuta=20Authenticator->getIdentity=20palautamaa?= =?UTF-8?q?n=20`null`,=20mik=C3=A4li=20tilin=20status=20ei=20ole=20`STATUS?= =?UTF-8?q?=5FACTIVATED`.=20Lis=C3=A4=C3=A4=20=20SafeHTMLValidatorin=20?= =?UTF-8?q?hyv=C3=A4ksytt=C3=A4viin=20ole-=20tustageihin.=20Rejektoi=20jso?= =?UTF-8?q?n=20POST/PUT-pyynn=C3=B6t=20joiden=20parsattu=20body=20ei=20ole?= =?UTF-8?q?=20o-=20lio.?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- src/Auth/Internal/RememberMe.php | 12 ++++---- .../Validation/SafeHTMLValidator.php | 3 +- src/Request.php | 10 +++++-- tests/Auth/AuthenticatorGetIdentityTest.php | 28 +++++++++++++++++++ tests/Auth/AuthenticatorTestCase.php | 2 +- 5 files changed, 46 insertions(+), 9 deletions(-) diff --git a/src/Auth/Internal/RememberMe.php b/src/Auth/Internal/RememberMe.php index 5d05889..5d6b738 100644 --- a/src/Auth/Internal/RememberMe.php +++ b/src/Auth/Internal/RememberMe.php @@ -4,7 +4,7 @@ namespace Pike\Auth\Internal; -use Pike\Auth\Crypto; +use Pike\Auth\{Authenticator, Crypto}; use Pike\Entities\User; use Pike\Interfaces\UserRepositoryInterface; @@ -39,11 +39,13 @@ public function getLogin(): ?string { // @allow \Pike\PikeException $user = $this->persistence->getUserByColumn('loginId', $loginIdToken); if (!$user || !$user->loginIdValidatorHash) return null; - if (hash_equals($user->loginIdValidatorHash, + // + if ($user->accountStatus === Authenticator::ACCOUNT_STATUS_ACTIVATED && + hash_equals($user->loginIdValidatorHash, $this->crypto->hash('sha256', $loginIdValidatorToken))) return $user->loginData; - else - $this->clearPersistentLoginData($user->id); + // + $this->clearPersistentLoginData($user->id); return null; } /** @@ -67,7 +69,7 @@ public function putLogin(string $userId, string $serializedSessionData): void { /** */ public function clearLogin(): void { - [$loginIdToken, $loginIdValidatorToken] = $this->getAndParseCookie(); + [$loginIdToken, $_loginIdValidatorToken] = $this->getAndParseCookie(); if (!$loginIdToken) return; // @allow \Pike\PikeException diff --git a/src/Extensions/Validation/SafeHTMLValidator.php b/src/Extensions/Validation/SafeHTMLValidator.php index 4c9a70b..1c81e5f 100644 --- a/src/Extensions/Validation/SafeHTMLValidator.php +++ b/src/Extensions/Validation/SafeHTMLValidator.php @@ -4,7 +4,7 @@ namespace Pike\Extensions\Validation; -use Masterminds\{HTML5}; +use Masterminds\HTML5; use Masterminds\HTML5\Parser\{DOMTreeBuilder, Scanner, Tokenizer}; abstract class SafeHTMLValidator { @@ -43,6 +43,7 @@ abstract class SafeHTMLValidator { 'th' => 'th', 'thead' => 'thead', 'tr' => 'tr', + 'u' => 'u', 'ul' => 'ul', ]; public const DEFAULT_ALLOWED_ATTRIBUTES = [ diff --git a/src/Request.php b/src/Request.php index aaa4435..3581fa8 100644 --- a/src/Request.php +++ b/src/Request.php @@ -102,8 +102,14 @@ public static function createFromGlobals(?string $fullUrl = null, if (strpos($_SERVER['CONTENT_TYPE'] ?? '', 'application/json') === 0) { if (!($json = file_get_contents('php://input'))) $body = new \stdClass; - elseif (($body = json_decode($json)) === null) - throw new PikeException('Invalid json input', PikeException::BAD_INPUT); + else { + if (($body = json_decode($json)) === null) + throw new PikeException('Invalid json input', + PikeException::BAD_INPUT); + elseif (!($body instanceof \stdClass)) + throw new PikeException('Input json must be an object', + PikeException::BAD_INPUT); + } } else { $body = (object) $_POST; $files = (object) $_FILES; diff --git a/tests/Auth/AuthenticatorGetIdentityTest.php b/tests/Auth/AuthenticatorGetIdentityTest.php index 9094adf..cdf2bba 100644 --- a/tests/Auth/AuthenticatorGetIdentityTest.php +++ b/tests/Auth/AuthenticatorGetIdentityTest.php @@ -2,6 +2,7 @@ namespace Pike\Tests\Auth; +use Pike\Auth\Authenticator; use Pike\Auth\Interfaces\CookieStorageInterface; use Pike\Interfaces\SessionInterface; use Pike\TestUtils\MockCrypto; @@ -96,4 +97,31 @@ private function verifyStoredLoginDataToSession(\stdClass $state): void { $this->assertEquals($state->sessionData, $state->actualDataPutToSession); } + + + //////////////////////////////////////////////////////////////////////////// + + + public function testGetIdentityWithRememberMeOnDoesNotRetrieveIdentityIfAccountIsBanned(): void { + $state = $this->setupRememberBannedUserTest(); + $this->insertTestUserToDb($state->testUserData); + $this->invokeGetIdentityFeature($state); + $this->verifyDidNotReturIdentity($state); + $this->verifyClearedLoginDataFromDb($state); + } + private function setupRememberBannedUserTest(): \stdClass { + $state = $this->setupRememberMeTest(); + $state->testUserData['accountStatus'] = Authenticator::ACCOUNT_STATUS_BANNED; + return $state; + } + private function verifyDidNotReturIdentity(\stdClass $state): void { + $this->assertNull($state->actualIdentity); + } + private function verifyClearedLoginDataFromDb(\stdClass $state): void { + $data = $this->getTestUserFromDb(self::TEST_USER['id']); + $this->assertNotNull($data); + $this->assertNull($data->loginId); + $this->assertNull($data->loginIdValidatorHash); + $this->assertNull($data->loginData); + } } diff --git a/tests/Auth/AuthenticatorTestCase.php b/tests/Auth/AuthenticatorTestCase.php index e3233b8..39791d9 100644 --- a/tests/Auth/AuthenticatorTestCase.php +++ b/tests/Auth/AuthenticatorTestCase.php @@ -54,7 +54,7 @@ function ($_factory) use ($mockCookieStorage) { ); } /** - * @param array $data = [] + * @param array $data = [] */ protected function insertTestUserToDb(array $data = []): void { [$qList, $values, $columns] = self::$db->makeInsertQParts(array_merge(self::TEST_USER, $data));