Merge pull request #10 from Crowdhandler/sanitizeURL

carl-wells-crowdhandler · web-flow · commit b98a024c1a38 · 2022-11-29T10:27:32.000Z
Added a method to strip crowdhandler parameters and redirect on promo…
diff --git a/.gitignore b/.gitignore
@@ -6,4 +6,5 @@ composer.phar
 composr.lock
 favicon.ico
 php.ini
-.idea/
+.idea/
+.DS_Store
diff --git a/README.md b/README.md
@@ -72,10 +72,8 @@ Set the cookie
 
 #### Automatic
 
-    $gatekeeper->setCookie();
 
-Now you set the cookie so that the user carries their token with each request. 
-This is important, if the token cannot be checked, a new one will be issued, and this may result in a promoted user being sent to a waiting room.
+We automatically set the cookie so that the user carries their token with each request.
 
 #### Go your own way
 
diff --git a/composer.lock b/composer.lock
diff --git a/examples/flat-php/advanced.php b/examples/flat-php/advanced.php
@@ -1,8 +1,7 @@
 <?php
 
 /*
-    In this example, we will use the session object instead of cookies.
-    And we will handle the redirect ourselves instead of relying on CrowdHandlee\GateKeeper
+    In this example, we will handle the redirect ourselves instead of relying on CrowdHandler\GateKeeper
     We will also specify a slug to redirect to if the request check fails.
 */
 
@@ -11,9 +10,7 @@
 $api = new CrowdHandler\PublicClient('ace1f8062f2df869a5fb0cbd69f51c10d2821dd1e4519e110206eca9e3db86c8'); // your public key here.
 $ch = new CrowdHandler\GateKeeper($api);
 $ch->setSafetyNetSlug('sandbox'); // users will be directed to a known slug (must be one of yours) if API request or response fails 
-$ch->setToken( (isset($_URL['ch-id']) ? $_URL['ch-id'] : isset($_SESSION['ch-id'])) ? $_SESSION['ch-id'] : null );
 $ch->checkRequest();
-$_SESSION['ch-id'] = $ch->result->token; // we do not recommend using default session for token storage, this is just an example.
 if(!$ch->result->promoted) {
     header('location:'.$ch->getRedirectUrl(), 302);    
 }
diff --git a/examples/flat-php/basic.php b/examples/flat-php/basic.php
@@ -5,7 +5,6 @@
 $api = new CrowdHandler\PublicClient('ace1f8062f2df869a5fb0cbd69f51c10d2821dd1e4519e110206eca9e3db86c8'); // your public key here.
 $ch = new CrowdHandler\GateKeeper($api);
 $ch->checkRequest();
-$ch->setCookie();
 $ch->redirectIfNotPromoted();
 
 ?>
diff --git a/examples/slim-framework-psr/web/index.php b/examples/slim-framework-psr/web/index.php
@@ -10,17 +10,15 @@
 //  We pass Slim's PSR7 request instead of having GateKeeper corale info from CGI variables
     $ch = new CrowdHandler\GateKeeper($api, $request);
     $ch->checkRequest();    
-//  We use Slim to set the cookie, not the method inside GateKeeper
-    $cookies = new Slim\Http\Cookies();
-    $cookies->set('ch-id', ['value' => $ch->result->token, 'path'=>'/']);
+
     if($ch->result->promoted) {
     //  Here you would build your response as normal. We're just rendering the CrowdHandler Result
         $response->getBody()->write($ch->result);
     //  Now log the performance, we're about to dispatch the response
         $ch->recordPerformance(200);
-        return $response->withHeader('Set-Cookie', $cookies->toHeaders());
+        return $response;
     } else {
-        return $response->withHeader('Set-Cookie', $cookies->toHeaders())->withRedirect($ch->getRedirectUrl(), 302);
+        return $response->withRedirect($ch->getRedirectUrl(), 302);
     }
 });
 $app->run();
diff --git a/src/GateKeeper.php b/src/GateKeeper.php
@@ -9,6 +9,15 @@ class GateKeeper
     const TOKEN_COOKIE = 'ch-id';
     const TOKEN_URL = 'ch-id';
 
+    const CROWDHANDLER_PARAMS = array(
+        'ch-id',
+        'ch-fresh',
+        'ch-id-signature',
+        'ch-public-key',
+        'ch-requested',
+        'ch-code'
+    );
+
     private $ignore = "/^((?!.*\?).*(\.(avi|css|eot|gif|ico|jpg|jpeg|js|json|mov|mp4|mpeg|mpg|og[g|v]|pdf|png|svg|ttf|txt|wmv|woff|woff2|xml))$)/";
     private $client;
     private $failTrust = true;
@@ -40,20 +49,53 @@ public function __construct(Client $client, \Psr\Http\Message\ServerRequestInter
             $server = $_SERVER;
             $cookies = $_COOKIE;
         }
+
+
+        // Token in URL
         if (isset($get[self::TOKEN_URL])) {
-            $this->token = $get[self::TOKEN_URL];
+            $this->setCookie($get[self::TOKEN_URL]);
+            // clean url and redirect
+            $this->sanitizeURL($this->url, $get);
+            header("Cache-Control: no-store, no-cache, must-revalidate, max-age=0");
+            header('location: '.$this->url, true, self::HTTP_REDIRECT_CODE);
+            exit;
+
         } elseif (isset($cookies[self::TOKEN_COOKIE])) {
             $this->token = $cookies[self::TOKEN_COOKIE];
         }
-    //  now we've extracted the token we sanitize the url
-        $this->url = 'https://' . parse_url($this->url, PHP_URL_HOST) . parse_url($this->url, PHP_URL_PATH);
-        unset($get[self::TOKEN_URL]);
-        if(count($get)) $this->url .= '?' . http_build_query($get);
+
         $this->detectClientIp($server);
         if (isset($server['HTTP_USER_AGENT'])) $this->agent = $server['HTTP_USER_AGENT'];
         if (isset($server['HTTP_ACCEPT_LANGUAGE'])) $this->lang = $server['HTTP_ACCEPT_LANGUAGE'];        
     }
 
+    /**
+     * Removes crowdhandler specific query parameters on promotion
+     * @param string $url The url that is currently being requested
+     * @param array $get An array of the current query sring parameters   
+     */
+    private function sanitizeURL ($url, $get)
+    {
+        
+        $parsed_url  = parse_url($url);
+        $this->url = 'https://' . $parsed_url['host'] . $parsed_url['path'];
+
+        $ch_params_to_remove = array();
+        for ($i=0; $i < Count(self::CROWDHANDLER_PARAMS); $i++) {
+            if (isset($get[self::CROWDHANDLER_PARAMS[$i]]))
+            {
+                array_push($ch_params_to_remove, $get[self::CROWDHANDLER_PARAMS[$i]]);
+            }
+        }
+
+        $remaining_query_parameters = array_diff($get, $ch_params_to_remove);
+        
+        if (Count($remaining_query_parameters) > 0) {
+            $this->url = $this->url .= '?' . http_build_query($remaining_query_parameters);
+        }
+       
+    }
+
     private function detectClientIp($server)
     {
         if (array_key_exists('HTTP_X_FORWARDED_FOR', $server)) {
@@ -155,7 +197,10 @@ public function checkRequest()
                     $this->result = $this->client->requests->get($this->token, $params);
                 } else {
                     $this->result = $this->client->requests->post($params);
-                }    
+                }
+                if(isset($this->result->token)) {
+                    $this->setCookie($this->result->token);
+                }
             }
             catch (\Exception $e) {
                 $mock = new ApiObject;
@@ -201,11 +246,11 @@ public function getRedirectUrl()
     /**
      * Set CrowdHandler session cookie 
      */
-    public function setCookie()
+    private function setCookie($cookie)
     {   
-        if (!is_null($this->result->token)) {
-            setcookie(self::TOKEN_COOKIE, $this->result->token, 0, '/', '', $this->debug ? false: true);
-            $this->debug('Setting cookie '.$this->result->token);
+        if (!is_null($cookie)) {
+            setcookie(self::TOKEN_COOKIE, $cookie, 0, '/', '', $this->debug ? false: true);
+            $this->debug('Setting cookie '.$cookie);
         }
     }
 
