Update: 2026-05-03 17:32:57
This commit is contained in:
Hamza-Ayed
@@ -1,53 +1,34 @@
|
||||
<?php
|
||||
/**
|
||||
* Simple Authentication Middleware
|
||||
*/
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
namespace App\Middleware;
|
||||
|
||||
use App\Core\{Request, Response};
|
||||
use App\Services\Security\JwtService;
|
||||
use Exception;
|
||||
use App\Core\JWT;
|
||||
|
||||
final class AuthMiddleware
|
||||
{
|
||||
public function __construct(private readonly JwtService $jwtService) {}
|
||||
|
||||
public function handle(Request $request, callable $next): mixed
|
||||
public static function check(): array
|
||||
{
|
||||
$authHeader = $request->getHeader('Authorization');
|
||||
|
||||
if (!$authHeader || !str_starts_with($authHeader, 'Bearer ')) {
|
||||
Response::error('يجب تسجيل الدخول للوصول إلى هذا المورد', 'UNAUTHORIZED', 401);
|
||||
return null;
|
||||
$headers = getallheaders();
|
||||
$authHeader = $headers['Authorization'] ?? $headers['authorization'] ?? '';
|
||||
|
||||
if (!str_starts_with($authHeader, 'Bearer ')) {
|
||||
json_error('Unauthorized: Missing or invalid token', 401);
|
||||
}
|
||||
|
||||
$token = substr($authHeader, 7);
|
||||
|
||||
try {
|
||||
$decoded = $this->jwtService->verifyToken($token);
|
||||
|
||||
// Check if JTI is blacklisted
|
||||
$jti = $decoded['jti'] ?? null;
|
||||
if ($jti) {
|
||||
try {
|
||||
$redis = \App\Core\Redis::getInstance();
|
||||
if ($redis->exists('jwt_blacklist:' . $jti)) {
|
||||
Response::error('الجلسة منتهية، يرجى تسجيل الدخول من جديد', 'TOKEN_REVOKED', 401);
|
||||
return null;
|
||||
}
|
||||
} catch (\Throwable $e) {
|
||||
// Redis down — allow (fail open, log security event)
|
||||
error_log('[AUTH] JWT blacklist check failed: ' . $e->getMessage());
|
||||
}
|
||||
}
|
||||
|
||||
$request->user = (object) $decoded;
|
||||
$request->tenantId = $decoded['tenant_id'] ?? null;
|
||||
} catch (Exception $e) {
|
||||
Response::error('جلسة العمل منتهية أو غير صالحة', 'UNAUTHORIZED', 401);
|
||||
return null;
|
||||
$secret = env('JWT_SECRET');
|
||||
|
||||
$decoded = JWT::decode($token, $secret);
|
||||
|
||||
if (!$decoded) {
|
||||
json_error('Unauthorized: Invalid or expired token', 401);
|
||||
}
|
||||
|
||||
return $next($request);
|
||||
return $decoded;
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1,43 +0,0 @@
|
||||
<?php
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
namespace App\Middleware;
|
||||
|
||||
use App\Core\{Request, Response};
|
||||
|
||||
final class CsrfMiddleware
|
||||
{
|
||||
public function handle(Request $request, callable $next): mixed
|
||||
{
|
||||
// Skip CSRF check for safe methods
|
||||
if (in_array($request->getMethod(), ['GET', 'HEAD', 'OPTIONS'])) {
|
||||
return $next($request);
|
||||
}
|
||||
|
||||
// For APIs, we often use a custom header or check origin
|
||||
// If we use sessions for tokens:
|
||||
if (session_status() === PHP_SESSION_NONE) {
|
||||
session_start();
|
||||
}
|
||||
|
||||
$token = $request->getHeader('X-CSRF-TOKEN') ?: ($request->getBody()['_csrf'] ?? null);
|
||||
$sessionToken = $_SESSION['csrf_token'] ?? null;
|
||||
|
||||
if (!$token || !$sessionToken || !hash_equals($sessionToken, $token)) {
|
||||
// For now, if we are purely API with Bearer token, we might skip this.
|
||||
// But if the request has a session or cookie, it's mandatory.
|
||||
|
||||
// If the Authorization header is present, we might assume it's an API call
|
||||
// that is naturally protected against CSRF if not using cookies for Auth.
|
||||
if ($request->getHeader('Authorization')) {
|
||||
return $next($request);
|
||||
}
|
||||
|
||||
Response::error('رمز الحماية (CSRF) غير صالح أو مفقود', 'CSRF_INVALID', 403);
|
||||
return null;
|
||||
}
|
||||
|
||||
return $next($request);
|
||||
}
|
||||
}
|
||||
@@ -1,60 +0,0 @@
|
||||
<?php
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
namespace App\Middleware;
|
||||
|
||||
use App\Core\{Request, Response, Redis};
|
||||
use App\Services\Security\HmacService;
|
||||
use App\Core\Database;
|
||||
|
||||
final class HmacMiddleware
|
||||
{
|
||||
public function __construct(private readonly HmacService $hmac) {}
|
||||
|
||||
public function handle(Request $request, callable $next): mixed
|
||||
{
|
||||
$publicKey = $request->getHeader('X-Api-Key');
|
||||
$signature = $request->getHeader('X-Signature');
|
||||
$timestamp = $request->getHeader('X-Timestamp');
|
||||
$nonce = $request->getHeader('X-Nonce');
|
||||
|
||||
if (!$publicKey || !$signature || !$timestamp || !$nonce) {
|
||||
Response::error('بيانات التوقيع (HMAC) ناقصة', 'HMAC_MISSING', 401);
|
||||
return null;
|
||||
}
|
||||
|
||||
// 1. Lookup Secret by Public Key
|
||||
$db = Database::getInstance();
|
||||
$stmt = $db->prepare("SELECT secret_hash, tenant_id FROM api_keys WHERE public_key = ? AND is_active = 1 LIMIT 1");
|
||||
$stmt->execute([$publicKey]);
|
||||
$apiKey = $stmt->fetch();
|
||||
|
||||
if (!$apiKey) {
|
||||
Response::error('مفتاح API غير صالح', 'HMAC_INVALID_KEY', 401);
|
||||
return null;
|
||||
}
|
||||
|
||||
// 2. Verify Signature
|
||||
// Note: secret_hash in DB is the actual secret for signing
|
||||
$isValid = $this->hmac->verify(
|
||||
$apiKey['secret_hash'],
|
||||
$request->getMethod(),
|
||||
$request->getPath(),
|
||||
$timestamp,
|
||||
$nonce,
|
||||
json_encode($request->getBody()),
|
||||
$signature
|
||||
);
|
||||
|
||||
if (!$isValid) {
|
||||
Response::error('توقيع الطلب غير صحيح', 'HMAC_INVALID_SIGNATURE', 401);
|
||||
return null;
|
||||
}
|
||||
|
||||
// 3. Set context
|
||||
$request->tenantId = $apiKey['tenant_id'];
|
||||
|
||||
return $next($request);
|
||||
}
|
||||
}
|
||||
@@ -1,36 +1,53 @@
|
||||
<?php
|
||||
/**
|
||||
* Simple Rate Limiting Middleware
|
||||
*/
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
namespace App\Middleware;
|
||||
|
||||
use App\Core\{Request, Response, Redis};
|
||||
|
||||
final class RateLimitMiddleware
|
||||
{
|
||||
/**
|
||||
* @param int $limit Requests allowed
|
||||
* @param int $window Seconds window
|
||||
* Basic file-based rate limiter to keep dependencies zero.
|
||||
* In a production multi-server setup, switch this to Redis/DB.
|
||||
*/
|
||||
public function handle(Request $request, callable $next, int $limit = 60, int $window = 60): mixed
|
||||
public static function check(int $maxRequests = 60, int $timeWindow = 60): void
|
||||
{
|
||||
$redis = Redis::getInstance();
|
||||
$ip = $_SERVER['REMOTE_ADDR'];
|
||||
$key = "ratelimit:" . md5($request->getPath() . "|" . $ip);
|
||||
|
||||
$current = $redis->get($key);
|
||||
|
||||
if ($current && (int)$current >= $limit) {
|
||||
Response::error('لقد تجاوزت الحد المسموح من الطلبات، يرجى المحاولة لاحقاً', 'RATE_LIMIT_EXCEEDED', 429);
|
||||
return null;
|
||||
$ip = $_SERVER['REMOTE_ADDR'] ?? 'unknown';
|
||||
$cacheDir = STORAGE_PATH . '/cache';
|
||||
$cacheFile = $cacheDir . '/rate_limit_' . md5($ip) . '.json';
|
||||
|
||||
// Ensure cache directory exists
|
||||
if (!is_dir($cacheDir)) {
|
||||
mkdir($cacheDir, 0755, true);
|
||||
}
|
||||
|
||||
if (!$current) {
|
||||
$redis->setex($key, $window, 1);
|
||||
} else {
|
||||
$redis->incr($key);
|
||||
|
||||
$now = time();
|
||||
$requests = [];
|
||||
|
||||
// Read existing requests if file exists and is writable
|
||||
if (file_exists($cacheFile)) {
|
||||
$content = file_get_contents($cacheFile);
|
||||
if ($content !== false) {
|
||||
$data = json_decode($content, true);
|
||||
if (is_array($data)) {
|
||||
// Filter out requests older than the time window
|
||||
$requests = array_filter($data, fn($timestamp) => $timestamp > ($now - $timeWindow));
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
return $next($request);
|
||||
|
||||
// Check limit
|
||||
if (count($requests) >= $maxRequests) {
|
||||
json_error('Too Many Requests. Please try again later.', 429);
|
||||
}
|
||||
|
||||
// Add current request
|
||||
$requests[] = $now;
|
||||
|
||||
// Save back to file
|
||||
file_put_contents($cacheFile, json_encode(array_values($requests)));
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1,37 +0,0 @@
|
||||
<?php
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
namespace App\Middleware;
|
||||
|
||||
use App\Core\{Request, Response};
|
||||
|
||||
final class RoleMiddleware
|
||||
{
|
||||
/**
|
||||
* Handle the request.
|
||||
*
|
||||
* @param Request $request
|
||||
* @param callable $next
|
||||
* @param string ...$roles
|
||||
* @return mixed
|
||||
*/
|
||||
public function handle(Request $request, callable $next, string ...$roles): mixed
|
||||
{
|
||||
$user = $request->user ?? null;
|
||||
|
||||
if (!$user) {
|
||||
Response::error('يجب تسجيل الدخول للوصول إلى هذا المورد', 'UNAUTHORIZED', 401);
|
||||
return null;
|
||||
}
|
||||
|
||||
// Check if user role is in the allowed roles
|
||||
// $user->role is an object property since we cast it in AuthMiddleware
|
||||
if (!in_array($user->role, $roles)) {
|
||||
Response::error('غير مسموح لك بالقيام بهذا الإجراء', 'FORBIDDEN', 403);
|
||||
return null;
|
||||
}
|
||||
|
||||
return $next($request);
|
||||
}
|
||||
}
|
||||
@@ -1,43 +0,0 @@
|
||||
<?php
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
namespace App\Middleware;
|
||||
|
||||
use App\Core\{Request, Response, Database};
|
||||
|
||||
final class TenantMiddleware
|
||||
{
|
||||
public function handle(Request $request, callable $next): mixed
|
||||
{
|
||||
$tenantId = $request->tenantId ?? null;
|
||||
|
||||
if (!$tenantId) {
|
||||
Response::error('المستأجر غير معروف', 'TENANT_NOT_FOUND', 400);
|
||||
return null;
|
||||
}
|
||||
|
||||
// Check if tenant exists and is active
|
||||
try {
|
||||
$db = Database::getInstance();
|
||||
$stmt = $db->prepare("SELECT status FROM tenants WHERE id = ? AND deleted_at IS NULL");
|
||||
$stmt->execute([$tenantId]);
|
||||
$tenant = $stmt->fetch();
|
||||
|
||||
if (!$tenant) {
|
||||
Response::error('المستأجر غير موجود', 'TENANT_NOT_FOUND', 404);
|
||||
return null;
|
||||
}
|
||||
|
||||
if ($tenant['status'] === 'suspended') {
|
||||
Response::error('تم إيقاف حساب المستأجر', 'TENANT_SUSPENDED', 403);
|
||||
return null;
|
||||
}
|
||||
} catch (\Exception $e) {
|
||||
Response::error('خطأ في الاتصال بقاعدة البيانات', 'DATABASE_ERROR', 500);
|
||||
return null;
|
||||
}
|
||||
|
||||
return $next($request);
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user