New. Common. Add "all_headers" parameter. (#49)

* New.Code.Add "all_headers" parameter

* Fix. Code. Code style fixed.

* Fix. All headers. Remove sensitive data from collected headers.

* Fix. All headers. Returning result fixed.

* Fix. All headers. Getting headers fixed.

---------

Co-authored-by: datorik <datorik@gmail.com>
Co-authored-by: Glomberg <bazz@bk.ru>

Author: 3 people

.gitignore

@@ -4,3 +4,4 @@ composer.lock
 .DS_Store
 .DS_Store?
 *.swp
+/tests/.phpunit.result.cache

lib/CleantalkAntispam.php

@@ -159,6 +159,70 @@ private function getCleanTalkResponse()
         return new CleantalkResponse(@json_decode($response_raw), null);
     }
 
+    /**
+     * Get all HTTP headers from the current request
+     *
+     * @return string JSON encoded headers or empty string if not available
+     */
+    private function getAllHeaders()
+    {
+        // Try apache_request_headers() first
+        $ct_tmp = function_exists('apache_request_headers') ? apache_request_headers() : [];
+
+        // Fallback for Nginx or other servers - parse from $_SERVER
+        if ( empty($ct_tmp) ) {
+            $ct_tmp = Helper::httpGetHeaders();
+        }
+
+        // Remove sensitive headers before sending them to the external service.
+        $sensitive_headers = array(
+            'cookie',
+            'set-cookie',
+            'authorization',
+            'proxy-authorization',
+            'x-csrf-token',
+            'x-xsrf-token',
+            'x-api-key',
+            'api-key',
+            'x-auth-token',
+            'x-access-token',
+            'x-forwarded-client-cert',
+        );
+        $sensitive_patterns = array(
+            'token',
+            'secret',
+            'signature',
+            'api-key',
+            'apikey',
+            'auth',
+        );
+        foreach ($ct_tmp as $header_name => $_value) {
+            $normalized_header_name = strtolower($header_name);
+            if (in_array($normalized_header_name, $sensitive_headers, true)) {
+                unset($ct_tmp[$header_name]);
+                continue;
+            }
+            foreach ($sensitive_patterns as $pattern) {
+                if (strpos($normalized_header_name, $pattern) !== false) {
+                    unset($ct_tmp[$header_name]);
+                    break;
+                }
+            }
+        }
+
+        if ( empty($ct_tmp) ) {
+            return '';
+        }
+
+        $json = json_encode($ct_tmp);
+
+        if ( $json === false ) {
+            return '';
+        }
+
+        return $json;
+    }
+
     /**
      * Prepare the request data for the CleanTalk API.
      *
@@ -176,6 +240,7 @@ private function prepareCleanTalkRequestData()
             'js_on' => !empty($this->event_token) ? 1 : 0,
             'event_token' => $this->event_token,
             'agent' => 'php-cleantalk-check',
+            'all_headers' => $this->getAllHeaders(),
             'sender_info' => @json_encode(
                 array(
                     'REFFERRER' => !empty($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : '',

lib/HTTP/Helper.php

@@ -502,11 +502,10 @@ public static function httpGetHeaders()
                             continue;
                         }
 
-                        $key_parts[$part_index] = function_exists('mb_strtolower') ? mb_strtolower(
-                            $part
-                        ) : strtolower(
-                            $part
-                        );
+                        $key_parts[$part_index] =
+                            function_exists('mb_strtolower')
+                                ? mb_strtolower($part)
+                                : strtolower($part);
                         $key_parts[$part_index][0] = strtoupper($key_parts[$part_index][0]);
                     }
                     $server_key = implode('-', $key_parts);