From b163f4d764d74b81cd91b53e99931a1a757589e7 Mon Sep 17 00:00:00 2001
From: Anonymous Contributor <anonymous@invalid>
Date: Tue, 29 Aug 2023 13:55:12 +0200
Subject: [PATCH] Add middleware functionality

---
 app/middleware/AdminMiddleware.php         | 16 ++++++++
 app/middleware/LoginRequiredMiddleware.php | 45 ++++++++++++++++++++++
 app/middleware/Middleware.php              | 10 +++++
 app/middleware/PreSessionMiddleware.php    | 23 +++++++++++
 app/middleware/SessionMiddleware.php       | 45 ++++++++++++++++++++++
 5 files changed, 139 insertions(+)
 create mode 100644 app/middleware/AdminMiddleware.php
 create mode 100644 app/middleware/LoginRequiredMiddleware.php
 create mode 100644 app/middleware/Middleware.php
 create mode 100644 app/middleware/PreSessionMiddleware.php
 create mode 100644 app/middleware/SessionMiddleware.php

diff --git a/app/middleware/AdminMiddleware.php b/app/middleware/AdminMiddleware.php
new file mode 100644
index 0000000..e12deae
--- /dev/null
+++ b/app/middleware/AdminMiddleware.php
@@ -0,0 +1,16 @@
+<?php
+declare(strict_types=1);
+
+namespace Mcp\Middleware;
+
+class AdminMiddleware extends LoginRequiredMiddleware
+{
+    public function canAccess(): bool
+    {
+        if (parent::canAccess()) {
+            return $_SESSION['UserLevel'] > 100;
+        }
+
+        return false;
+    }
+}
\ No newline at end of file
diff --git a/app/middleware/LoginRequiredMiddleware.php b/app/middleware/LoginRequiredMiddleware.php
new file mode 100644
index 0000000..37bed41
--- /dev/null
+++ b/app/middleware/LoginRequiredMiddleware.php
@@ -0,0 +1,45 @@
+<?php
+declare(strict_types=1);
+
+namespace Mcp\Middleware;
+
+use Mcp\ConnectionProvider;
+
+class LoginRequiredMiddleware extends SessionMiddleware
+{
+
+    private ConnectionProvider $connProvider;
+
+    public function __construct(ConnectionProvider $connProvider, string $cookieDomain)
+    {
+        parent::__construct($cookieDomain, 3600);
+        $this->connProvider = $connProvider;
+    }
+
+    public function canAccess(): bool
+    {
+        parent::handleSession();
+        if (isset($_SESSION['UUID'])) {
+            // User level or existence of account may have changed since session was created
+            $getLevel = $this->connProvider->db()->prepare('SELECT UserLevel FROM UserAccounts WHERE PrincipalID = ?');
+            $getLevel->execute([$_SESSION['UUID']]);
+            if ($row = $getLevel->fetch()) {
+                $_SESSION['LEVEL'] = $row['UserLevel'];
+                session_set_cookie_params(86400);
+                return true;
+            }
+            else {
+                session_unset();
+                session_destroy();
+                return false;
+            }
+        }
+
+        return false;
+    }
+
+    public function handleUnauthorized(): void
+    {
+        header('Location: index.php?page=login');
+    }
+}
\ No newline at end of file
diff --git a/app/middleware/Middleware.php b/app/middleware/Middleware.php
new file mode 100644
index 0000000..7641702
--- /dev/null
+++ b/app/middleware/Middleware.php
@@ -0,0 +1,10 @@
+<?php
+declare(strict_types=1);
+
+namespace Mcp\Middleware;
+
+interface Middleware
+{
+    public function canAccess(): bool;
+    public function handleUnauthorized(): void;
+}
\ No newline at end of file
diff --git a/app/middleware/PreSessionMiddleware.php b/app/middleware/PreSessionMiddleware.php
new file mode 100644
index 0000000..cb5917b
--- /dev/null
+++ b/app/middleware/PreSessionMiddleware.php
@@ -0,0 +1,23 @@
+<?php
+declare(strict_types=1);
+
+namespace Mcp\Middleware;
+
+class PreSessionMiddleware extends SessionMiddleware
+{
+    public function __construct(string $cookieDomain)
+    {
+        parent::__construct($cookieDomain, 0);
+    }
+
+    public function canAccess(): bool
+    {
+        parent::handleSession();
+        return !isset($_SESSION['LOGIN']);
+    }
+
+    public function handleUnauthorized(): void
+    {
+        header('Location: index.php');
+    }
+}
\ No newline at end of file
diff --git a/app/middleware/SessionMiddleware.php b/app/middleware/SessionMiddleware.php
new file mode 100644
index 0000000..2d0b4c7
--- /dev/null
+++ b/app/middleware/SessionMiddleware.php
@@ -0,0 +1,45 @@
+<?php
+declare(strict_types=1);
+
+namespace Mcp\Middleware;
+
+use UnexpectedValueException;
+
+abstract class SessionMiddleware implements Middleware
+{
+
+    private string $cookieDomain;
+    private int $cookieLifetime;
+
+    public function __construct(string $cookieDomain, int $cookieLifetime)
+    {
+        $this->cookieDomain = $cookieDomain;
+        $this->cookieLifetime = $cookieLifetime;
+    }
+
+    protected function handleSession(): void
+    {
+        switch(session_status()) {
+            case PHP_SESSION_DISABLED:
+                throw new UnexpectedValueException("Session functionality is disabled");
+                break;
+            case PHP_SESSION_NONE:
+                session_set_cookie_params([
+                    'lifetime' => $this->cookieLifetime,
+                    'path' => '/',
+                    'domain' => $this->cookieDomain,
+                    'httponly' => true,
+                    'secure' => true,
+                    'samesite' => 'Strict'
+                ]);
+                session_start();
+                break;
+            default:
+                break;
+        }
+
+        if(!isset($_SESSION['csrf']) || strlen($_SESSION['csrf']) != 64) {
+            $_SESSION['csrf'] = bin2hex(random_bytes(32));
+        }
+    }
+}
\ No newline at end of file