rgutierrez/resq
1
0
Fork 0
Code Issues 126 Pull requests 49 Projects Releases 4 Packages Wiki Activity Actions

Fix signature issue and remove old token subscriber #164

Browse source
This commit is contained in:
Kendrick Chan 2018-10-23 03:01:52 +08:00
parent a2be71a001
commit 3ac8b8e53d
4 changed files with 26 additions and 156 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
catalyst/api-bundle/Command/UserCreateCommand.php
View file

@ -41,8 +41,8 @@ class UserCreateCommand extends Command
$this->em->persist($user); $this->em->persist($user);
$this->em->flush(); $this->em->flush();
$output->write('API Key - ' . $user->getAPIKey()); $output->write('API Key - ' . $user->getAPIKey() . "\n");
$output->write('Secret Key - ' . $user->getSecretKey()); $output->write('Secret Key - ' . $user->getSecretKey() . "\n");
} }

122
catalyst/api-bundle/EventSubscriber/TokenSubscriber.php
View file

@ -1,122 +0,0 @@
<?php
namespace Catalyst\APIBundle\EventSubscriber;
use Catalyst\APIBundle\Controller\APIController;
use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
use Symfony\Component\HttpKernel\Event\FilterControllerEvent;
use Symfony\Component\EventDispatcher\EventSubscriberInterface;
use Symfony\Component\HttpKernel\KernelEvents;
use Doctrine\ORM\EntityManagerInterface;
use DateTime;
class TokenSubscriber implements EventSubscriberInterface
{
const HEADER_API_KEY = 'X-Cata-API-Key';
const HEADER_SIGNATURE = 'X-Cata-Signature';
const HEADER_DATE = 'X-Cata-Date';
const DATE_FORMAT = 'D, d M Y H:i:s T';
const QUERY_API_KEY = 'api_key';
const QUERY_SIGNATURE = 'sig';
// 30 minute time limit
const TIME_LIMIT = 1800;
protected $em;
public function __construct(EntityManagerInterface $em)
{
$this-> em = $em;
}
protected function getSecretKey($api_key)
{
return 'sldkfjlksdjflksdjflksdjflsjf';
}
protected function validateSignature($req, $hdate_string, $secret_key, $sig)
{
// get needed params for generation
$method = $req->getRealMethod();
$uri = $req->getRequestUri();
$elements = [$method, $uri, $hdate_string, $secret_key];
$sig_source = implode('|', $elements);
error_log($sig_source);
// generate signature
$raw_sig = hash_hmac('sha1', $sig_source, $secret_key, true);
$enc_sig = base64_encode($raw_sig);
error_log($enc_sig);
if ($enc_sig != trim($sig))
throw new AccessDeniedHttpException('Invalid signature.');
}
public function onKernelController(FilterControllerEvent $event)
{
$controller = $event->getController();
// not a controller class? (docs said to handle)
if (!is_array($controller))
return;
// not an api controller
if (!($controller[0] instanceof APIController))
return;
$req = $event->getRequest();
// check date from headers
$headers = $req->headers->all();
$hdate_string = $req->headers->get(self::HEADER_DATE);
if ($hdate_string == null)
throw new AccessDeniedHttpException('No date specified.');
$hdate = DateTime::createFromFormat(self::DATE_FORMAT, $hdate_string);
if ($hdate == null)
throw new AccessDeniedHttpException('Invalid date specified.');
// get number of seconds difference
$date_now = new DateTime();
$date_diff = abs($date_now->getTimestamp() - $hdate->getTimestamp());
// time difference is too much
if ($date_diff > self::TIME_LIMIT)
throw new AccessDeniedHttpException('Clock synchronization error.');
// api key header
$api_key = $req->headers->get(self::HEADER_API_KEY);
if ($api_key == null)
throw new AccessDeniedHttpException('No api key sent.');
// check valid api key
$secret_key = $this->getSecretKey($api_key);
// signature header
$sig = $req->headers->get(self::HEADER_SIGNATURE);
if ($sig == null)
throw new AccessDeniedHttpException('No signature sent.');
// check valid signature
$this->validateSignature($req, $hdate_string, $secret_key, $sig);
return;
}
public static function getSubscribedEvents()
{
return [
KernelEvents::CONTROLLER => 'onKernelController',
];
}
}

51
catalyst/api-bundle/Security/APIKeyAuthenticator.php
View file

@ -40,13 +40,14 @@ class APIKeyAuthenticator implements SimplePreAuthenticatorInterface, Authentica
return 'sldkfjlksdjflksdjflksdjflsjf'; return 'sldkfjlksdjflksdjflksdjflsjf';
} }
protected function validateSignature($req, $hdate_string, $secret_key, $sig) protected function validateSignature($creds, $secret_key)
{ {
// get needed params for generation $elements = [
$method = $req->getRealMethod(); $creds['method'],
$uri = $req->getRequestUri(); $creds['uri'],
$creds['date'],
$elements = [$method, $uri, $hdate_string, $secret_key]; $secret_key,
];
$sig_source = implode('|', $elements); $sig_source = implode('|', $elements);
error_log($sig_source); error_log($sig_source);
@ -57,8 +58,8 @@ class APIKeyAuthenticator implements SimplePreAuthenticatorInterface, Authentica
error_log($enc_sig); error_log($enc_sig);
if ($enc_sig != trim($sig)) if ($enc_sig != trim($creds['signature']))
throw new BadCredentialsException('Invalid signature.'); throw new CustomUserMessageAuthenticationException('Invalid signature.');
} }
@ -86,20 +87,23 @@ class APIKeyAuthenticator implements SimplePreAuthenticatorInterface, Authentica
if ($date_diff > self::TIME_LIMIT) if ($date_diff > self::TIME_LIMIT)
throw new BadCredentialsException('Clock synchronization error.'); throw new BadCredentialsException('Clock synchronization error.');
// check valid api key
$secret_key = $this->getSecretKey($api_key);
// signature header // signature header
$sig = $req->headers->get(self::HEADER_SIGNATURE); $sig = $req->headers->get(self::HEADER_SIGNATURE);
if ($sig == null) if ($sig == null)
throw new BadCredentialsException('No signature sent.'); throw new BadCredentialsException('No signature sent.');
// check valid signature // credentials
$this->validateSignature($req, $hdate_string, $secret_key, $sig); $creds = [
'api_key' => $api_key,
'date' => $hdate_string,
'signature' => $sig,
'method' => $req->getRealMethod(),
'uri' => $req->getRequestUri(),
];
return new PreAuthenticatedToken( return new PreAuthenticatedToken(
'anonymous', 'anonymous',
$api_key, $creds,
$provider_key $provider_key
); );
} }
@ -121,24 +125,17 @@ class APIKeyAuthenticator implements SimplePreAuthenticatorInterface, Authentica
); );
} }
$api_key = $token->getCredentials(); $creds = $token->getCredentials();
$api_key = $creds['api_key'];
$user = $user_provider->getUserByAPIKey($api_key); $user = $user_provider->getUserByAPIKey($api_key);
/* // check if api key is valid
$username = $user_provider->getUsernameForAPIKey($api_key);
if (!$username)
{
// CAUTION: this message will be returned to the client
// (so don't put any un-trusted messages / error strings here)
throw new CustomUserMessageAuthenticationException(
sprintf('API Key "%s" does not exist.', $api_key)
);
}
*/
if (!$user) if (!$user)
throw new CustomUserMessageAuthenticationException('Invalid API Key'); throw new CustomUserMessageAuthenticationException('Invalid API Key');
// check if signature is valid
$this->validateSignature($creds, $user->getSecretKey());
// $user = $user_provider->loadUserByUsername($username); // $user = $user_provider->loadUserByUsername($username);
return new PreAuthenticatedToken( return new PreAuthenticatedToken(

5
config/services.yaml
View file

@ -76,11 +76,6 @@ services:
$ip_address: "%env(APNS_REDIS_IP_ADDRESS)%" $ip_address: "%env(APNS_REDIS_IP_ADDRESS)%"
$port: "%env(APNS_REDIS_PORT)%" $port: "%env(APNS_REDIS_PORT)%"
Catalyst\APIBundle\EventSubscriber\TokenSubscriber:
arguments:
$em: "@doctrine.orm.entity_manager"
tags: ['kernel.event_subscriber']
Catalyst\APIBundle\Security\APIKeyUserProvider: Catalyst\APIBundle\Security\APIKeyUserProvider:
arguments: arguments:
$em: "@doctrine.orm.entity_manager" $em: "@doctrine.orm.entity_manager"