diff --git a/server/src/Controller/TaskController.php b/server/src/Controller/TaskController.php index 650fb7d..644df41 100644 --- a/server/src/Controller/TaskController.php +++ b/server/src/Controller/TaskController.php @@ -5,7 +5,7 @@ namespace App\Controller; use App\Service\JsonResponse; use App\Service\Database; use App\Repository\TaskRepository; -use App\Service\Security; +use App\Service\Request; use App\Service\Session; /** @@ -15,17 +15,20 @@ use App\Service\Session; class TaskController { private $db; + private $request; private $jsonResponse; private $session; private $security; + private $repository; public function __construct() { $this->db = new Database(); + $this->request = new Request(); $this->jsonResponse = new JsonResponse(); $this->repository = new TaskRepository($this->db); - $this->session = new Session(); - $this->security = new Security(); + $this->session = new Session($this->db, $this->jsonResponse); + $this->security = $this->session->security; } /** @@ -44,7 +47,7 @@ class TaskController } /** - * Get all tasks + * Get task by id * * Route: /tasks/$id * Method: GET @@ -66,29 +69,25 @@ class TaskController */ public function post() { - if ($this->security->isLogged($_COOKIE['session'])) { - $code = 403; - $message = 'You are not authentified.'; - $data = []; - - print $this->jsonResponse->create($code, $message, $data); + if (!$this->security->isLogged()) { + print $this->security->NotAllowedRequest(); exit(); } - if (empty($_POST['title']) || empty($_POST['description'])) { + $content = $this->request->getContentAsArray(); + + if (empty($content['title']) || empty($content['description'])) { $code = 400; $message = 'Bad parameters.'; - $data = []; - print $this->jsonResponse->create($code, $message, $data); + print $this->jsonResponse->create($code, $message); exit(); } $task = $this->repository->create([ 'user_id' => 1, - 'title' => $_POST['title'], - 'description' => $_POST['description'], - 'creation_date' => new \DateTime(), + 'title' => $content['title'], + 'description' => $content['description'], 'status' => 1 ]); @@ -122,9 +121,17 @@ class TaskController */ public function delete($id) { - //verify auth - //verify csrf - //verify if author + if (!$this->security->isLogged()) { + print $this->security->NotAllowedRequest(); + exit(); + } + + $task = $this->repository->findOneById($id); + + if ($task['user_id'] !== 1) { + print $this->security->NotAllowedRequest(); + exit(); + } $this->repository->deleteById($id); diff --git a/server/src/Service/Database.php b/server/src/Service/Database.php index 7c919a1..3d5c294 100644 --- a/server/src/Service/Database.php +++ b/server/src/Service/Database.php @@ -8,47 +8,45 @@ namespace App\Service; */ class Database { - private $dotEnvParser; private $conn; + private $dsn; + private $options; /** * Database constructor. */ public function __construct() { - $this->dotEnvParser = new DotEnvParser(); - $this->dotEnvParser - ->parse() - ->toEnv() - ->toArray(); + $this->conn = null; - $dsn = "mysql:host=" . $_ENV['MYSQL_HOST'] . ";dbname=" . $_ENV['MYSQL_DBNAME']; - $options = array( + $this->dsn = "mysql:host=" . getenv('MYSQL_HOST') . ":".getenv('MYSQL_PORT').";dbname=" . getenv('MYSQL_DBNAME'); + $this->options = array( \PDO::ATTR_PERSISTENT => true, \PDO::ATTR_ERRMODE => \PDO::ERRMODE_EXCEPTION ); - - try { - $this->conn = new \PDO($dsn, $_ENV['MYSQL_USER'], $_ENV['MYSQL_PASS'], $options); - } //catch any errors - catch (\PDOException $e) { - $this->error = $e->getMessage(); - } } /** * Get the PDO connection instance - * * @return \PDO */ public function getConnection() { + if (is_null($this->conn)) { + try { + $this->conn = new \PDO($this->dsn, getenv('MYSQL_USER'), getenv('MYSQL_PASS'), $this->options); + } //catch any errors + catch (\PDOException $e) { + exit($e->getMessage()); + } + } + return $this->conn; } /** * Handle PDO execution errors - * @param PDOStatement $stmt + * @param \PDOStatement $stmt * @return void */ public function errorHandler(\PDOStatement $stmt) : void diff --git a/server/src/Service/DotEnvParser.php b/server/src/Service/DotEnvParser.php index a589846..1232735 100644 --- a/server/src/Service/DotEnvParser.php +++ b/server/src/Service/DotEnvParser.php @@ -2,7 +2,10 @@ namespace App\Service; -use josegonzalez\Dotenv\Loader; +//use M1\Env\Parser; +//use Dotenv\Dotenv; +//use \Jsefton\DotEnv\Parser; +use Codervio\Envmanager\Envparser; /** * Class DotEnvParser @@ -11,37 +14,18 @@ use josegonzalez\Dotenv\Loader; class DotEnvParser { private $file; - private $loader; + private $parser; public function __construct() { $this->file = __DIR__ . '/../../.env'; - $this->loader = new Loader($this->file); + + $this->parser = new Envparser($this->file); + $this->parser->load(); } - /** - * Parse the .env file - * @return bool|Loader - */ - public function parse() + public function run() { - return $this->loader->parse(); - } - - /** - * Send the parsed .env file to the $_ENV variable - * @return bool|Loader - */ - public function toEnv() - { - return $this->loader->toEnv(); - } - - /** - * @return array|null - */ - public function toArray() - { - return $this->loader->toArray(); + $this->parser->run(); } } \ No newline at end of file diff --git a/server/src/Service/JsonResponse.php b/server/src/Service/JsonResponse.php index 1642850..d314514 100644 --- a/server/src/Service/JsonResponse.php +++ b/server/src/Service/JsonResponse.php @@ -16,6 +16,8 @@ class JsonResponse 'data' => $data ]; + header('Access-Control-Allow-Origin: ' . getenv('ALLOW_ORIGIN')); + header('Accept: application/json'); header('Content-Type: application/json'); http_response_code($code); diff --git a/server/src/Service/Security.php b/server/src/Service/Security.php index 39c198c..b019321 100644 --- a/server/src/Service/Security.php +++ b/server/src/Service/Security.php @@ -13,12 +13,24 @@ class Security */ private $session; + /** + * @var JsonResponse + */ + private $jsonResponse; + + /** + * @var $secret_key + */ + private $secret_key; + /** * Security constructor. */ - public function __construct() + public function __construct(Session $session, JsonResponse $jsonResponse) { - $this->session = new Session(); + $this->session = $session; + $this->jsonResponse = $jsonResponse; + $this->secret_key = getenv('APP_SECRET'); } /** @@ -35,27 +47,21 @@ class Security * @param $cookie * @return bool */ - public function isLogged($cookie) + public function isLogged() { - if (is_null($this->session->getSession($cookie))) { - return false; - } else { - return true; - } + return false; } /** - * @param $csrf - * @param $cookie - * @return bool + * @return string */ - public function isValidCsrf($csrf, $cookie) + public function NotAllowedRequest() { - if (is_null($session = $this->session->getSession($cookie))) { - return false; - } + $code = 403; + $message = 'You are not allowed to perform this request.'; + $data = []; - return $session['csrf'] === $csrf; + return $this->jsonResponse->create($code, $message, $data); } /** diff --git a/server/src/Service/Session.php b/server/src/Service/Session.php index a3dceb8..090efb6 100644 --- a/server/src/Service/Session.php +++ b/server/src/Service/Session.php @@ -8,12 +8,16 @@ namespace App\Service; */ class Session { + private $db; + public $security; + /** * Session constructor. */ - public function __construct() + public function __construct(Database $database, JsonResponse $jsonResponse) { - $this->db = new Database(); + $this->db = $database; + $this->security = new Security($this, $jsonResponse); } /** @@ -21,12 +25,15 @@ class Session * @param $csrf * @param $cookie */ - public function create($user_id, $csrf, $cookie) + public function create($user_id) { - $stmt = $this->db->getConnection()->prepare('INSERT INTO Session (user_id, csrf, cookie) VALUES(:user_id, :csrf, :cookie)'); + $token = $this->security->generateToken(); + $expire_at = new \DateTime(); + + $stmt = $this->db->getConnection()->prepare('INSERT INTO Session (user_id, token, issued_at, expire_at) VALUES(:user_id, :token, NOW(), :expire_at)'); $stmt->bindParam(':user_id', $user_id, \PDO::PARAM_INT); - $stmt->bindParam(':title', $csrf, \PDO::PARAM_STR); - $stmt->bindParam(':description', $cookie, \PDO::PARAM_STR); + $stmt->bindParam(':token', $token, \PDO::PARAM_STR); + $stmt->bindParam(':expire_at', $expire_at); $stmt->execute(); } @@ -34,10 +41,10 @@ class Session * @param $cookie * @return mixed|null */ - public function getSession($cookie) + public function getSession($token) { - $stmt = $this->db->getConnection()->prepare('SELECT * FROM Session WHERE cookie = :cookie'); - $stmt->bindParam(':cookie', $cookie); + $stmt = $this->db->getConnection()->prepare('SELECT * FROM Session WHERE token = :token'); + $stmt->bindParam(':token', $token); $stmt->execute(); $session = $stmt->fetch(\PDO::FETCH_ASSOC);