Hamza/musadaq-saas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Security Hardening: Phase 1-3 complete

Browse Source 
- C1: Hash refresh tokens before DB storage (sha256)
- C2: Remove JWT_SECRET fallback, fail hard if missing
- H1: Enforce HTTP methods per route (405 on mismatch)
- H2: CORS with origin whitelist from CORS_ORIGIN env var
- H3: Redact sensitive fields (tokens, passwords) from logs
- M1: Build HmacMiddleware with replay attack prevention
- M2: Fix rate limiter race condition with flock LOCK_EX
- M3: Guard dd() — suppressed in production
- M4: Remove .env from git tracking, strengthen .gitignore
- I1: Add HSTS header (max-age=31536000)
This commit is contained in:
Hamza-Ayed
2026-05-03 21:06:17 +03:00
parent b33513ebcf
commit 214d96ee8d
11 changed files with 236 additions and 130 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
app/middleware/AuthMiddleware.php
View File

@@ -23,6 +23,11 @@ final class AuthMiddleware
$token = substr($authHeader, 7);
$secret = env('JWT_SECRET');
if (!$secret || strlen($secret) < 32) {
error_log('FATAL: JWT_SECRET is missing or too short');
json_error('Server configuration error', 500);
}
$decoded = JWT::decode($token, $secret);
if (!$decoded) {

62
app/middleware/HmacMiddleware.php Normal file
View File

@@ -0,0 +1,62 @@
<?php
/**
* HMAC Request Signature Middleware
*
* Verifies that incoming requests are signed with a shared secret,
* preventing replay attacks and ensuring request integrity.
*
* Client must send:
* X-Timestamp: Unix timestamp (seconds)
* X-HMAC-Signature: HMAC-SHA256(timestamp + "." + raw_body, HMAC_SECRET_KEY)
*/
declare(strict_types=1);
namespace App\Middleware;
use App\Core\Security;
final class HmacMiddleware
{
/**
* @param int $maxAgeSeconds Max age for replay attack window (default: 5 minutes)
*/
public static function verify(int $maxAgeSeconds = 300): void
{
$headers = getallheaders();
$signature = $headers['X-HMAC-Signature'] ?? $headers['x-hmac-signature'] ?? '';
$timestamp = $headers['X-Timestamp'] ?? $headers['x-timestamp'] ?? '';
// 1. Ensure both headers are present
if (empty($signature) || empty($timestamp)) {
json_error('Missing HMAC signature or timestamp', 401);
}
// 2. Validate timestamp is numeric
if (!ctype_digit((string)$timestamp)) {
json_error('Invalid timestamp format', 401);
}
// 3. Replay attack prevention — reject stale requests
$age = abs(time() - (int)$timestamp);
if ($age > $maxAgeSeconds) {
json_error('Request expired. Check your system clock.', 401);
}
// 4. Build the expected signature
$body = file_get_contents('php://input');
$payload = $timestamp . '.' . $body;
$secret = env('HMAC_SECRET_KEY');
if (!$secret || strlen($secret) < 32) {
error_log('FATAL: HMAC_SECRET_KEY is missing or too short in .env');
json_error('Server configuration error', 500);
}
// 5. Verify using constant-time comparison (prevents timing attacks)
if (!Security::verifySignature($payload, $signature, $secret)) {
error_log("HMAC verification failed for " . ($_SERVER['REQUEST_URI'] ?? ''));
json_error('Invalid request signature', 401);
}
}
}

80
app/middleware/RateLimitMiddleware.php
View File

@@ -1,6 +1,6 @@
<?php
/**
* Simple Rate Limiting Middleware
* Rate Limiting Middleware (File-based, Race-Condition Safe)
*/
declare(strict_types=1);
@@ -10,44 +10,62 @@ namespace App\Middleware;
final class RateLimitMiddleware
{
/**
* Basic file-based rate limiter to keep dependencies zero.
* In a production multi-server setup, switch this to Redis/DB.
* File-based rate limiter with file-lock to prevent race conditions.
* For multi-server deployments, replace with Redis.
*/
public static function check(int $maxRequests = 60, int $timeWindow = 60): void
{
$ip = $_SERVER['REMOTE_ADDR'] ?? 'unknown';
$cacheDir = STORAGE_PATH . '/cache';
$cacheFile = $cacheDir . '/rate_limit_' . md5($ip) . '.json';
// Ensure cache directory exists
$ip = $_SERVER['REMOTE_ADDR'] ?? 'unknown';
$cacheDir = STORAGE_PATH . '/cache';
$cacheFile = $cacheDir . '/rl_' . md5($ip) . '.json';
if (!is_dir($cacheDir)) {
mkdir($cacheDir, 0755, true);
}
$now = time();
$requests = [];
// Read existing requests if file exists and is writable
if (file_exists($cacheFile)) {
$content = file_get_contents($cacheFile);
if ($content !== false) {
$data = json_decode($content, true);
if (is_array($data)) {
// Filter out requests older than the time window
$requests = array_filter($data, fn($timestamp) => $timestamp > ($now - $timeWindow));
// M2 Fix: Use exclusive file lock to prevent race condition
$fp = fopen($cacheFile, 'c+');
if ($fp === false) {
// If we can't open the file, fail open (don't block all users)
return;
}
try {
flock($fp, LOCK_EX); // Exclusive lock — blocks until acquired
$now = time();
$content = stream_get_contents($fp);
$requests = [];
if (!empty($content)) {
$decoded = json_decode($content, true);
if (is_array($decoded)) {
// Keep only requests within the time window
$requests = array_values(
array_filter($decoded, fn($ts) => $ts > ($now - $timeWindow))
);
}
}
if (count($requests) >= $maxRequests) {
flock($fp, LOCK_UN);
fclose($fp);
header('Retry-After: ' . $timeWindow);
json_error('Too Many Requests. Please slow down.', 429);
}
// Record this request
$requests[] = $now;
// Write updated data back
ftruncate($fp, 0);
rewind($fp);
fwrite($fp, json_encode($requests));
} finally {
flock($fp, LOCK_UN);
fclose($fp);
}
// Check limit
if (count($requests) >= $maxRequests) {
json_error('Too Many Requests. Please try again later.', 429);
}
// Add current request
$requests[] = $now;
// Save back to file
file_put_contents($cacheFile, json_encode(array_values($requests)));
}
}