Attempt to fix sign me tokens #731 and #719

This commit is contained in:
the-djmaze 2022-12-01 23:00:00 +01:00
parent 4d0ee8736b
commit f2aba8b11d
3 changed files with 17 additions and 18 deletions

View file

@ -323,18 +323,20 @@ trait UserAuth
{
$sSignMeToken = Utils::GetCookie(self::AUTH_SIGN_ME_TOKEN_KEY);
if ($sSignMeToken) {
\SnappyMail\Log::notice(self::AUTH_SIGN_ME_TOKEN_KEY, 'decrypt');
$aResult = \SnappyMail\Crypt::DecryptUrlSafe($sSignMeToken);
if (isset($aResult['e'], $aResult['u']) && \SnappyMail\UUID::isValid($aResult['u'])) {
return $aResult;
}
\SnappyMail\Log::notice(self::AUTH_SIGN_ME_TOKEN_KEY, 'invalid');
Utils::ClearCookie(self::AUTH_SIGN_ME_TOKEN_KEY);
}
return null;
}
private function SetSignMeToken(MainAccount $oAccount): void
{
// $this->ClearSignMeData();
$this->ClearSignMeData();
$uuid = \SnappyMail\UUID::generate();
$data = \SnappyMail\Crypt::Encrypt($oAccount);
Utils::SetCookie(

View file

@ -144,6 +144,12 @@ class Utils
*/
if (\strlen($sValue)) {
$_COOKIE[$sName] = $sValue;
} else {
if (!isset($_COOKIE[$sName])) {
return;
}
unset($_COOKIE[$sName]);
$iExpire = \time() - 3600 * 24 * 30;
}
// Cookie "$sName" has been rejected because it is already expired.
@ -203,23 +209,14 @@ class Utils
$aSplit = \explode('~', $sCookieName);
if (isset($aSplit[1]) && $aSplit[0] == $sName && $aSplit[1] > $i) {
\SnappyMail\Log::debug('COOKIE', "unset {$sCookieName}");
unset($_COOKIE[$sCookieName]);
static::_SetCookie($sCookieName, '', \time() - 3600 * 24 * 30);
static::_SetCookie($sCookieName, '', 0);
}
}
}
public static function ClearCookie(string $sName)
{
if (isset($_COOKIE[$sName])) {
$sPath = static::$CookieDefaultPath;
foreach (\array_keys($_COOKIE) as $sCookieName) {
if (\strtok($sCookieName, '~') === $sName) {
unset($_COOKIE[$sCookieName]);
static::_SetCookie($sCookieName, '', \time() - 3600 * 24 * 30);
}
}
}
static::_SetCookie($sName, '', 0);
}
public static function UrlEncode(string $sV, bool $bEncode = false) : string

View file

@ -119,7 +119,7 @@ abstract class Crypt
return ['xxtea', $salt, static::XxteaEncrypt($data, $salt, $key)];
/*
if (static::{"{$result[0]}Decrypt"}($result[2], $result[1], $key) !== $data) {
throw new \Exception('Encrypt/Decrypt mismatch');
throw new \RuntimeException('Encrypt/Decrypt mismatch');
}
*/
}
@ -159,7 +159,7 @@ abstract class Crypt
\str_pad('', \SODIUM_CRYPTO_AEAD_XCHACHA20POLY1305_IETF_KEYBYTES, static::Passphrase($key))
);
if (!$result) {
throw new \Exception('Sodium encryption failed');
throw new \RuntimeException('Sodium encryption failed');
}
return $result;
}
@ -173,7 +173,7 @@ abstract class Crypt
throw new \Exception('openssl_decrypt not callable');
}
if (!static::$cipher) {
throw new \Exception('openssl $cipher not set');
throw new \RuntimeException('openssl $cipher not set');
}
Log::debug('Crypt', 'openssl_decrypt() with cipher ' . static::$cipher);
return \openssl_decrypt(
@ -194,7 +194,7 @@ abstract class Crypt
throw new \Exception('openssl_encrypt not callable');
}
if (!static::$cipher) {
throw new \Exception('openssl $cipher not set');
throw new \RuntimeException('openssl $cipher not set');
}
Log::debug('Crypt', 'openssl_encrypt() with cipher ' . static::$cipher);
$result = \openssl_encrypt(
@ -205,7 +205,7 @@ abstract class Crypt
$iv
);
if (!$result) {
throw new \Exception('OpenSSL encryption with ' . static::$cipher . ' failed');
throw new \RuntimeException('OpenSSL encryption with ' . static::$cipher . ' failed');
}
return $result;
}
@ -231,7 +231,7 @@ abstract class Crypt
? \xxtea_encrypt($data, $key)
: \MailSo\Base\Xxtea::encrypt($data, $key);
if (!$result) {
throw new \Exception('Xxtea encryption failed');
throw new \RuntimeException('Xxtea encryption failed');
}
return $result;
}