1
<?php
2
/**
3
 * This file is part of the Shieldon package.
4
 *
5
 * (c) Terry L. <contact@terryl.in>
6
 *
7
 * For the full copyright and license information, please view the LICENSE
8
 * file that was distributed with this source code.
9
 * 
10
 * php version 7.1.0
11
 * 
12
 * @category  Web-security
13
 * @package   Shieldon
14
 * @author    Terry Lin <contact@terryl.in>
15
 * @copyright 2019 terrylinooo
16
 * @license   https://github.com/terrylinooo/shieldon/blob/2.x/LICENSE MIT
17
 * @link      https://github.com/terrylinooo/shieldon
18
 * @see       https://shieldon.io
19
 */
20

21
declare(strict_types=1);
22

23
namespace Shieldon\Firewall\Middleware;
24

25
use Psr\Http\Message\ResponseInterface;
26
use Psr\Http\Message\ServerRequestInterface;
27
use Psr\Http\Server\MiddlewareInterface;
28
use Psr\Http\Server\RequestHandlerInterface;
29
use Shieldon\Psr7\Response;
30
use InvalidArgumentException;
31
use function array_column;
32
use function count;
33
use function password_verify;
34
use function strpos;
35

36
/**
37
 * A PSR-15 middleware that provides WWW-Authenticate protection.
38
 */
39
class HttpAuthentication implements MiddlewareInterface
40
{
41
    /**
42
     * 401 - Unauthorized.
43
     *
44
     * @var int
45
     */
46
    const HTTP_STATUS_CODE = 401;
47

48
    /**
49
     * The URL list that you want to protect.
50
     *
51
     * @var array
52
     */
53
    protected $list = [
54
        [
55
            // Begin-with URL 
56
            'url' => '/wp-amdin', 
57

58
            // Username
59
            'user' => 'wp_shieldon_user',
60

61
            // Password encrypted by `password_hash()` function.
62
            // In this case, the uncrypted string is `wp_shieldon_pass`.
63
            'pass' => '$2y$10$eA/S6rH3JDkYV9nrrUvuMOTh8Q/ts33DdCerbNAUpdwtSl3Xq9cQq'  
64
        ]
65
    ];
66

67
    /**
68
     * The text displays on prompted window.
69
     * Most modern browsers won't show this anymore. You can ignore that.
70
     *
71
     * @var string
72
     */
73
    protected $realm;
74

75
    /**
76
     * Constructor.
77
     * 
78
     * @param array  $list  The list that want to be protected.
79
     * @param string $realm The welcome message.
80
     *
81
     * @return void
82
     */
83 3
    public function __construct(array $list = [], string $realm = 'Welcome to area 51.')
84
    {
85 3
        $this->set($list);
86 3
        $this->realm = $realm;
87
    }
88

89
    /**
90
     * Invoker.
91
     *
92
     * @param ServerRequestInterface  $request The PSR-7 server request.
93
     * @param RequestHandlerInterface $handler The PSR-15 request handler.
94
     *
95
     * @return ResponseInterface
96
     */
97 3
    public function process(ServerRequestInterface $request, RequestHandlerInterface $handler): ResponseInterface
98
    {
99 3
        $currentUrl = $request->getUri()->getPath();
100 3
        $serverParams = $request->getServerParams();
101

102 3
        foreach ($this->list as $urlInfo) {
103

104
            // If we have set the protection for current URL.
105 3
            if (0 === strpos($currentUrl, $urlInfo['url'])) {
106

107
                // Prompt a window to ask for username and password.
108
                if (
109 3
                    !isset($serverParams['PHP_AUTH_USER']) ||
110 3
                    !isset($serverParams['PHP_AUTH_PW'])
111
                ) {
112 3
                    $authenticate = 'Basic realm="' . $this->realm . '"';
113 3
                    return (new Response)
114 3
                        ->withStatus(self::HTTP_STATUS_CODE)
115 3
                        ->withHeader('WWW-Authenticate', $authenticate);
116
                }
117

118
                // Identify the username and password for current URL.
119
                if (
120 3
                    $urlInfo['user'] !== $serverParams['PHP_AUTH_USER'] ||
121 3
                    !password_verify($serverParams['PHP_AUTH_PW'], $urlInfo['pass'])
122
                ) {
123 3
                    unset($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW']);
124 3
                    return (new Response)->withStatus(self::HTTP_STATUS_CODE);
125
                }
126
            }
127
        }
128

129 3
        return $handler->handle($request);
130
    }
131

132
    /**
133
     * Set up the URL list that you want to protect.
134
     * 
135
     * @param array $list The URL list want to be protected.
136
     *
137
     * @return void
138
     */
139 3
    public function set(array $list = []): void
140
    {
141 3
        if (!empty($list)) {
142 3
            $count = count($list);
143 3
            $urlCount = count(array_column($list, 'url'));
144 3
            $userCount = count(array_column($list, 'user'));
145 3
            $passCount = count(array_column($list, 'pass'));
146

147
            if (
148 3
                $count !== $urlCount || 
149 3
                $count !== $userCount || 
150 3
                $count !== $passCount
151
            ) {
152 3
                throw new InvalidArgumentException(
153 3
                    'The columns in the array should be fit the specification. '
154
                );
155
            }
156

157 3
            $this->list = $list;
158
        }
159
    }
160
}

Read our documentation on viewing source code .

Loading