From d9707c2281087fa85812ab9c991e0a0f8aa4538b Mon Sep 17 00:00:00 2001
From: Maurits van der Schee <maurits@vdschee.nl>
Date: Sun, 18 Apr 2021 14:11:16 +0200
Subject: [PATCH 1/4] wip
---
.../Middleware/QueryQuotaMiddleware.php | 57 +++++++++++++++++++
.../Middleware/RateLimitMiddleware copy.php | 57 +++++++++++++++++++
2 files changed, 114 insertions(+)
create mode 100644 src/Tqdev/PhpCrudApi/Middleware/QueryQuotaMiddleware.php
create mode 100644 src/Tqdev/PhpCrudApi/Middleware/RateLimitMiddleware copy.php
diff --git a/src/Tqdev/PhpCrudApi/Middleware/QueryQuotaMiddleware.php b/src/Tqdev/PhpCrudApi/Middleware/QueryQuotaMiddleware.php
new file mode 100644
index 00000000..0440c328
--- /dev/null
+++ b/src/Tqdev/PhpCrudApi/Middleware/QueryQuotaMiddleware.php
@@ -0,0 +1,57 @@
+<?php
+
+namespace Tqdev\PhpCrudApi\Middleware;
+
+use Psr\Http\Message\ResponseInterface;
+use Psr\Http\Message\ServerRequestInterface;
+use Psr\Http\Server\RequestHandlerInterface;
+use Tqdev\PhpCrudApi\Controller\Responder;
+use Tqdev\PhpCrudApi\Middleware\Base\Middleware;
+use Tqdev\PhpCrudApi\Record\ErrorCode;
+
+class QueryQuotaMiddleware extends Middleware
+{
+ private function ipMatch(string $ip, string $cidr): bool
+ {
+ if (strpos($cidr, '/') !== false) {
+ list($subnet, $mask) = explode('/', trim($cidr));
+ if ((ip2long($ip) & ~((1 << (32 - $mask)) - 1)) == ip2long($subnet)) {
+ return true;
+ }
+ } else {
+ if (ip2long($ip) == ip2long($cidr)) {
+ return true;
+ }
+ }
+ return false;
+ }
+
+ private function isIpAllowed(string $ipAddress, string $allowedIpAddresses): bool
+ {
+ foreach (explode(',', $allowedIpAddresses) as $allowedIp) {
+ if ($this->ipMatch($ipAddress, $allowedIp)) {
+ return true;
+ }
+ }
+ return false;
+ }
+
+ public function process(ServerRequestInterface $request, RequestHandlerInterface $next): ResponseInterface
+ {
+ $reverseProxy = $this->getProperty('reverseProxy', '');
+ if ($reverseProxy) {
+ $ipAddress = array_pop(explode(',', $request->getHeader('X-Forwarded-For')));
+ } elseif (isset($_SERVER['REMOTE_ADDR'])) {
+ $ipAddress = $_SERVER['REMOTE_ADDR'];
+ } else {
+ $ipAddress = '127.0.0.1';
+ }
+ $allowedIpAddresses = $this->getProperty('allowedIpAddresses', '');
+ if (!$this->isIpAllowed($ipAddress, $allowedIpAddresses)) {
+ $response = $this->responder->error(ErrorCode::TEMPORARY_OR_PERMANENTLY_BLOCKED, '');
+ } else {
+ $response = $next->handle($request);
+ }
+ return $response;
+ }
+}
diff --git a/src/Tqdev/PhpCrudApi/Middleware/RateLimitMiddleware copy.php b/src/Tqdev/PhpCrudApi/Middleware/RateLimitMiddleware copy.php
new file mode 100644
index 00000000..892e5d1d
--- /dev/null
+++ b/src/Tqdev/PhpCrudApi/Middleware/RateLimitMiddleware copy.php
@@ -0,0 +1,57 @@
+<?php
+
+namespace Tqdev\PhpCrudApi\Middleware;
+
+use Psr\Http\Message\ResponseInterface;
+use Psr\Http\Message\ServerRequestInterface;
+use Psr\Http\Server\RequestHandlerInterface;
+use Tqdev\PhpCrudApi\Controller\Responder;
+use Tqdev\PhpCrudApi\Middleware\Base\Middleware;
+use Tqdev\PhpCrudApi\Record\ErrorCode;
+
+class RateLimitMiddleware extends Middleware
+{
+ private function ipMatch(string $ip, string $cidr): bool
+ {
+ if (strpos($cidr, '/') !== false) {
+ list($subnet, $mask) = explode('/', trim($cidr));
+ if ((ip2long($ip) & ~((1 << (32 - $mask)) - 1)) == ip2long($subnet)) {
+ return true;
+ }
+ } else {
+ if (ip2long($ip) == ip2long($cidr)) {
+ return true;
+ }
+ }
+ return false;
+ }
+
+ private function isIpAllowed(string $ipAddress, string $allowedIpAddresses): bool
+ {
+ foreach (explode(',', $allowedIpAddresses) as $allowedIp) {
+ if ($this->ipMatch($ipAddress, $allowedIp)) {
+ return true;
+ }
+ }
+ return false;
+ }
+
+ public function process(ServerRequestInterface $request, RequestHandlerInterface $next): ResponseInterface
+ {
+ $reverseProxy = $this->getProperty('reverseProxy', '');
+ if ($reverseProxy) {
+ $ipAddress = array_pop(explode(',', $request->getHeader('X-Forwarded-For')));
+ } elseif (isset($_SERVER['REMOTE_ADDR'])) {
+ $ipAddress = $_SERVER['REMOTE_ADDR'];
+ } else {
+ $ipAddress = '127.0.0.1';
+ }
+ $allowedIpAddresses = $this->getProperty('allowedIpAddresses', '');
+ if (!$this->isIpAllowed($ipAddress, $allowedIpAddresses)) {
+ $response = $this->responder->error(ErrorCode::TEMPORARY_OR_PERMANENTLY_BLOCKED, '');
+ } else {
+ $response = $next->handle($request);
+ }
+ return $response;
+ }
+}
From 650c737f083dd51c074793efedbbe0664121feb2 Mon Sep 17 00:00:00 2001
From: Maurits van der Schee <maurits@vdschee.nl>
Date: Sat, 24 Apr 2021 15:25:15 +0200
Subject: [PATCH 2/4] update
---
.../Middleware/RateLimitMiddleware copy.php | 57 -------------------
1 file changed, 57 deletions(-)
delete mode 100644 src/Tqdev/PhpCrudApi/Middleware/RateLimitMiddleware copy.php
diff --git a/src/Tqdev/PhpCrudApi/Middleware/RateLimitMiddleware copy.php b/src/Tqdev/PhpCrudApi/Middleware/RateLimitMiddleware copy.php
deleted file mode 100644
index 892e5d1d..00000000
--- a/src/Tqdev/PhpCrudApi/Middleware/RateLimitMiddleware copy.php
+++ /dev/null
@@ -1,57 +0,0 @@
-<?php
-
-namespace Tqdev\PhpCrudApi\Middleware;
-
-use Psr\Http\Message\ResponseInterface;
-use Psr\Http\Message\ServerRequestInterface;
-use Psr\Http\Server\RequestHandlerInterface;
-use Tqdev\PhpCrudApi\Controller\Responder;
-use Tqdev\PhpCrudApi\Middleware\Base\Middleware;
-use Tqdev\PhpCrudApi\Record\ErrorCode;
-
-class RateLimitMiddleware extends Middleware
-{
- private function ipMatch(string $ip, string $cidr): bool
- {
- if (strpos($cidr, '/') !== false) {
- list($subnet, $mask) = explode('/', trim($cidr));
- if ((ip2long($ip) & ~((1 << (32 - $mask)) - 1)) == ip2long($subnet)) {
- return true;
- }
- } else {
- if (ip2long($ip) == ip2long($cidr)) {
- return true;
- }
- }
- return false;
- }
-
- private function isIpAllowed(string $ipAddress, string $allowedIpAddresses): bool
- {
- foreach (explode(',', $allowedIpAddresses) as $allowedIp) {
- if ($this->ipMatch($ipAddress, $allowedIp)) {
- return true;
- }
- }
- return false;
- }
-
- public function process(ServerRequestInterface $request, RequestHandlerInterface $next): ResponseInterface
- {
- $reverseProxy = $this->getProperty('reverseProxy', '');
- if ($reverseProxy) {
- $ipAddress = array_pop(explode(',', $request->getHeader('X-Forwarded-For')));
- } elseif (isset($_SERVER['REMOTE_ADDR'])) {
- $ipAddress = $_SERVER['REMOTE_ADDR'];
- } else {
- $ipAddress = '127.0.0.1';
- }
- $allowedIpAddresses = $this->getProperty('allowedIpAddresses', '');
- if (!$this->isIpAllowed($ipAddress, $allowedIpAddresses)) {
- $response = $this->responder->error(ErrorCode::TEMPORARY_OR_PERMANENTLY_BLOCKED, '');
- } else {
- $response = $next->handle($request);
- }
- return $response;
- }
-}
From c31f7327401655e4c7f462f756dca632f16ac8f9 Mon Sep 17 00:00:00 2001
From: Maurits van der Schee <maurits@vdschee.nl>
Date: Sat, 24 Apr 2021 15:25:45 +0200
Subject: [PATCH 3/4] update
---
.../Middleware/RateLimitMiddleware.php | 57 +++++++++++++++++++
1 file changed, 57 insertions(+)
create mode 100644 src/Tqdev/PhpCrudApi/Middleware/RateLimitMiddleware.php
diff --git a/src/Tqdev/PhpCrudApi/Middleware/RateLimitMiddleware.php b/src/Tqdev/PhpCrudApi/Middleware/RateLimitMiddleware.php
new file mode 100644
index 00000000..892e5d1d
--- /dev/null
+++ b/src/Tqdev/PhpCrudApi/Middleware/RateLimitMiddleware.php
@@ -0,0 +1,57 @@
+<?php
+
+namespace Tqdev\PhpCrudApi\Middleware;
+
+use Psr\Http\Message\ResponseInterface;
+use Psr\Http\Message\ServerRequestInterface;
+use Psr\Http\Server\RequestHandlerInterface;
+use Tqdev\PhpCrudApi\Controller\Responder;
+use Tqdev\PhpCrudApi\Middleware\Base\Middleware;
+use Tqdev\PhpCrudApi\Record\ErrorCode;
+
+class RateLimitMiddleware extends Middleware
+{
+ private function ipMatch(string $ip, string $cidr): bool
+ {
+ if (strpos($cidr, '/') !== false) {
+ list($subnet, $mask) = explode('/', trim($cidr));
+ if ((ip2long($ip) & ~((1 << (32 - $mask)) - 1)) == ip2long($subnet)) {
+ return true;
+ }
+ } else {
+ if (ip2long($ip) == ip2long($cidr)) {
+ return true;
+ }
+ }
+ return false;
+ }
+
+ private function isIpAllowed(string $ipAddress, string $allowedIpAddresses): bool
+ {
+ foreach (explode(',', $allowedIpAddresses) as $allowedIp) {
+ if ($this->ipMatch($ipAddress, $allowedIp)) {
+ return true;
+ }
+ }
+ return false;
+ }
+
+ public function process(ServerRequestInterface $request, RequestHandlerInterface $next): ResponseInterface
+ {
+ $reverseProxy = $this->getProperty('reverseProxy', '');
+ if ($reverseProxy) {
+ $ipAddress = array_pop(explode(',', $request->getHeader('X-Forwarded-For')));
+ } elseif (isset($_SERVER['REMOTE_ADDR'])) {
+ $ipAddress = $_SERVER['REMOTE_ADDR'];
+ } else {
+ $ipAddress = '127.0.0.1';
+ }
+ $allowedIpAddresses = $this->getProperty('allowedIpAddresses', '');
+ if (!$this->isIpAllowed($ipAddress, $allowedIpAddresses)) {
+ $response = $this->responder->error(ErrorCode::TEMPORARY_OR_PERMANENTLY_BLOCKED, '');
+ } else {
+ $response = $next->handle($request);
+ }
+ return $response;
+ }
+}
From 347bd8908ec814293132de89deb6e85b240e03f0 Mon Sep 17 00:00:00 2001
From: jaleonardo <32501234+apps-caraga@users.noreply.github.com>
Date: Fri, 19 Jan 2024 09:27:01 +0800
Subject: [PATCH 4/4] Update DbAuthMiddleware.php
Updated middleware to trim leading and/or trailing spaces in username.
---
src/Tqdev/PhpCrudApi/Middleware/DbAuthMiddleware.php | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/Tqdev/PhpCrudApi/Middleware/DbAuthMiddleware.php b/src/Tqdev/PhpCrudApi/Middleware/DbAuthMiddleware.php
index 49b6263f..7bc0abb4 100644
--- a/src/Tqdev/PhpCrudApi/Middleware/DbAuthMiddleware.php
+++ b/src/Tqdev/PhpCrudApi/Middleware/DbAuthMiddleware.php
@@ -44,7 +44,7 @@ public function process(ServerRequestInterface $request, RequestHandlerInterface
$method = $request->getMethod();
if ($method == 'POST' && in_array($path, ['login', 'register', 'password'])) {
$body = $request->getParsedBody();
- $username = isset($body->username) ? $body->username : '';
+ $username = trim(isset($body->username) ? $body->username : '');
$password = isset($body->password) ? $body->password : '';
$newPassword = isset($body->newPassword) ? $body->newPassword : '';
$tableName = $this->getProperty('usersTable', 'users');