Security Hardening: Phase 1-3 complete

- C1: Hash refresh tokens before DB storage (sha256) - C2: Remove JWT_SECRET fallback, fail hard if missing - H1: Enforce HTTP methods per route (405 on mismatch) - H2: CORS with origin whitelist from CORS_ORIGIN env var - H3: Redact sensitive fields (tokens, passwords) from logs - M1: Build HmacMiddleware with replay attack prevention - M2: Fix rate limiter race condition with flock LOCK_EX - M3: Guard dd() — suppressed in production - M4: Remove .env from git tracking, strengthen .gitignore - I1: Add HSTS header (max-age=31536000)
2026-05-03 21:06:17 +03:00
parent b33513ebcf
commit 214d96ee8d
11 changed files with 236 additions and 130 deletions
--- a/app/bootstrap/response.php
+++ b/app/bootstrap/response.php
@@ -1,51 +1,65 @@
 <?php
 /**
- * Standardized JSON Responses with Multi-Level Logging
+ * Standardized JSON Responses with Secure Logging
 */

 declare(strict_types=1);

 function json_response(bool $success, $data = null, ?string $message = null, int $code = 200) {
-    // 1. Prepare Log Entry
+    
+    // H3 Fix: Redact sensitive fields before logging
+    $safeData = $data;
+    if (is_array($safeData)) {
+        $sensitiveKeys = ['access_token', 'refresh_token', 'password', 'password_hash', 'refresh_token_hash', 'token'];
+        array_walk_recursive($safeData, function (&$value, $key) use ($sensitiveKeys) {
+            if (in_array(strtolower((string)$key), $sensitiveKeys, true)) {
+                $value = '[REDACTED]';
+            }
+        });
+    }
+
+    // Log (safe — no secrets)
    $logEntry = sprintf(
-        "API %s %s | Code: %d | Success: %s | Message: %s | Data: %s",
+        "API %s %s | %d | %s | %s",
        $_SERVER['REQUEST_METHOD'] ?? 'CLI',
        $_SERVER['REQUEST_URI'] ?? '',
        $code,
-        $success ? 'YES' : 'NO',
-        $message ?? 'N/A',
-        json_encode($data, JSON_UNESCAPED_UNICODE)
+        $success ? 'OK' : 'FAIL',
+        $message ?? 'N/A'
    );
-    
-    // 2. Log to Standard PHP Error Log (Visible in CloudPanel Logs)
+
    error_log($logEntry);

-    // 3. Try to log to custom app.log in storage folder
-    $logDir = STORAGE_PATH . '/logs';
+    // Try custom log file
+    $logDir  = STORAGE_PATH . '/logs';
    $logFile = $logDir . '/app.log';
-    
+
    try {
        if (!is_dir($logDir)) {
            @mkdir($logDir, 0775, true);
        }
        if (is_writable($logDir) || is_writable($logFile)) {
-            @file_put_contents($logFile, "[" . date('Y-m-d H:i:s') . "] " . $logEntry . "\n", FILE_APPEND);
+            @file_put_contents(
+                $logFile,
+                "[" . date('Y-m-d H:i:s') . "] " . $logEntry . "\n",
+                FILE_APPEND
+            );
        }
    } catch (\Exception $e) {
-        // Fallback if filesystem is locked
+        // Fallback silently
    }

-    // 4. HTTP Response
+    // HTTP Response
    header('Content-Type: application/json; charset=utf-8');
    http_response_code($code);
-    
+
    echo json_encode([
        'success'   => $success,
-        'data'      => $data,
+        'data'      => $data,       // Return real data to client
        'message'   => $message,
        'timestamp' => date('c')
    ], JSON_UNESCAPED_UNICODE);
-    
+
    exit;
 }