1:   2:   3:   4:   5:   6:   7:   8:   9:  10:  11:  12:  13:  14:  15:  16:  17:  18:  19:  20:  21:  22:  23:  24:  25:  26:  27:  28:  29:  30:  31:  32:  33:  34:  35:  36:  37:  38:  39:  40:  41:  42:  43:  44:  45:  46:  47:  48:  49:  50:  51:  52:  53:  54:  55:  56:  57:  58:  59:  60:  61:  62:  63:  64:  65:  66:  67:  68:  69:  70:  71:  72:  73:  74:  75:  76:  77:  78:  79:  80:  81:  82:  83:  84:  85:  86:  87:  88:  89:  90:  91:  92:  93:  94:  95:  96:  97:  98:  99: 100: 101: 102: 103: 104: 105: 106: 107: 108: 109: 110: 111: 112: 113: 114: 115: 116: 117: 118: 119: 120: 121: 122: 123: 124: 

<?php

/**
 * MvcCore
 *
 * This source file is subject to the BSD 3 License
 * For the full copyright and license information, please view
 * the LICENSE.md file that are distributed with this source code.
 *
 * @copyright   Copyright (c) 2016 Tom Flidr (https://github.com/mvccore)
 * @license     https://mvccore.github.io/docs/mvccore/5.0.0/LICENCE.md
 */

namespace MvcCore\Ext\Form;

/**
 * Trait for class `MvcCore\Ext\Form` containing methods to create, get and 
 * verify CSRF tokens and to process CSRF error handlers if tokens are not valid.
 */
trait Csrf {

    /**
     * Call all CSRF (Cross Site Request Forgery) error handlers in static queue.
     * @param \MvcCore\Ext\Form $form The form instance where CSRF error happened.
     * @param string $errorMsg Translated error message about CSRF invalid tokens.
     * @return void
     */
    public static function ProcessCsrfErrorHandlersQueue (\MvcCore\Ext\IForm $form, $errorMsg) {
        $request = $form->GetRequest();
        $response = $form->GetResponse();
        foreach (static::$csrfErrorHandlers as $handlersRecord) {
            list ($handler, $isClosure) = $handlersRecord;
            try {
                if ($isClosure) {
                    $handler($form, $request, $response, $errorMsg);
                } else {
                    call_user_func($handler, $form, $request, $response, $errorMsg);
                }
            } catch (\Exception $e) { // backward compatibility
                $debugClass = $form->GetApplication()->GetDebugClass();
                $debugClass::Log($e, \MvcCore\IDebug::CRITICAL);
            } catch (\Throwable $e) {
                $debugClass = $form->GetApplication()->GetDebugClass();
                $debugClass::Log($e, \MvcCore\IDebug::CRITICAL);
            }
        }
    }

    /**
     * Enable or disable CSRF checking, enabled by default.
     * @param bool $enabled 
     * @return \MvcCore\Ext\Form
     */
    public function SetEnableCsrf ($enabled = TRUE) {
        /** @var $this \MvcCore\Ext\Form */
        $this->csrfEnabled = $enabled;
        return $this;
    }

    /**
     * Return current CSRF (Cross Site Request Forgery) hidden
     * input name and it's value as `\stdClass`with  keys `name` and `value`.
     * @return \stdClass
     */
    public function GetCsrf () {
        $session = & $this->getSession();
        list($name, $value) = $session->csrf;
        return (object) ['name' => $name, 'value' => $value];
    }

    /**
     * Check CSRF (Cross Site Request Forgery) sent tokens from user with session tokens.
     * If tokens are different, add form error and process CSRF error handlers queue.
     * If there is any exception caught in CSRF error handlers queue, it's logged
     * by configured core debug class with `CRITICAL` flag.
     * @param array $rawRequestParams Raw request params given into `Submit()` method or all `\MvcCore\Request` params.
     * @return \MvcCore\Ext\Form
     */
    public function SubmitCsrfTokens (array & $rawRequestParams = []) {
        /** @var $this \MvcCore\Ext\Form */
        if (!$this->csrfEnabled) return $this;
        $result = FALSE;
        $session = & $this->getSession();
        list($name, $value) = $session->csrf 
            ? $session->csrf : 
            [NULL, NULL];
        if ($name !== NULL && $value !== NULL)
            if (isset($rawRequestParams[$name]) && $rawRequestParams[$name] === $value)
                $result = TRUE;
        if (!$result) {
            $errorMsg = $this->GetDefaultErrorMsg(\MvcCore\Ext\Forms\IError::CSRF);
            if ($this->translate)
                $errorMsg = call_user_func($this->translator, $errorMsg);
            $this->AddError($errorMsg);
            static::ProcessCsrfErrorHandlersQueue($this, $errorMsg);
        }
        return $this;
    }

    /**
     * Create new fresh CSRF (Cross Site Request Forgery) tokens,
     * store them in current form session namespace and return them.
     * @return \string[]
     */
    public function SetUpCsrf () {
        $requestUrl = $this->request->GetBaseUrl() . $this->request->GetPath();
        if (function_exists('openssl_random_pseudo_bytes')) {
            $randomHash = bin2hex(openssl_random_pseudo_bytes(32));
        } else if (PHP_VERSION_ID >= 70000) {
            $randomHash = bin2hex(random_bytes(32));
        } else {
            $randomHash = '';
            for ($i = 0; $i < 32; $i++) 
                $randomHash .= str_pad(dechex(rand(0,255)),2,'0',STR_PAD_LEFT);
        }
        $nowTime = (string)time();
        $name = '____'.sha1($this->id . $requestUrl . 'name' . $nowTime . $randomHash);
        $value = sha1($this->id . $requestUrl . 'value' . $nowTime . $randomHash);
        $session = & $this->getSession();
        $session->csrf = [$name, $value];
        return [$name, $value];
    }
}