Added an optional timestamp verification to add additional security level (expiring requests)

Author: tanelt

src/Client.php

@@ -49,19 +49,26 @@ class Client
      */
     protected $httpClient;
 
+    /**
+     * @var bool
+     */
+    protected $useTimestamp = false;
+
     /**
      * Client constructor.
      *
      * @param string $key
      * @param string $secret
      * @param string $workspace
      * @param integer $timeout
+     * @param boolean $useTimestamp
      */
-    public function __construct($key, $secret, $workspace = null, $timeout = null)
+    public function __construct($key, $secret, $workspace = null, $timeout = null, $useTimestamp = false)
     {
         $this->key = $key;
         $this->secret = $secret;
         $this->workspace = $workspace;
+        $this->useTimestamp = $useTimestamp;
 
         if ($timeout)
         {
@@ -82,6 +89,14 @@ public function setWorkspace($workspace)
         return $this;
     }
 
+    /**
+     * @param bool $status
+     */
+    public function setUseTimestamp($status = true)
+    {
+        $this->useTimestamp = $status;
+    }
+
     /**
      * Set request timeout
      *
@@ -106,11 +121,12 @@ public function setBaseUrl($url)
 
     /**
      * @param string $resource
+     * @param integer $timestamp
      *
      * @return string
      * @throws Exception
      */
-    protected function createSignature($resource)
+    protected function createSignature($resource, $timestamp)
     {
         if (!$this->key)
         {
@@ -131,6 +147,11 @@ protected function createSignature($resource)
           'resource' => $resource
         ];
 
+        if ($this->useTimestamp)
+        {
+            $data['timestamp'] = $timestamp;
+        }
+
         ksort($data);
 
         return hash_hmac('sha256', implode('', $data), $this->secret);
@@ -154,18 +175,25 @@ protected function getHttpClient()
 
     /**
      * @param string $method
-     * @param string $resource
+     * @param $resource
      * @param array $params
      * @param array $headers
      *
-     * @return \stdClass
+     * @return null|\stdClass
      * @throws \ActualReports\PDFGeneratorAPI\Exception
+     * @throws \GuzzleHttp\Exception\GuzzleException
      */
     public function request($method = self::REQUEST_POST, $resource, array $params = [], array $headers = [])
     {
-        $signature = $this->createSignature($resource);
+        $timestamp = time();
+        $signature = $this->createSignature($resource, $timestamp);
         $method = strtoupper($method);
 
+        if ($this->useTimestamp)
+        {
+            $headers['X-Auth-Timestamp'] = $timestamp;
+        }
+
         $options = [
             'headers' => array_merge($headers, [
                 'X-Auth-Key' => $this->key,
@@ -202,8 +230,9 @@ public function request($method = self::REQUEST_POST, $resource, array $params =
      * @param $resource
      * @param $options
      *
-     * @return \stdClass|null
+     * @return null|\stdClass
      * @throws \ActualReports\PDFGeneratorAPI\Exception
+     * @throws \GuzzleHttp\Exception\GuzzleException
      */
     protected function handleRequest($method, $resource, $options)
     {
@@ -279,6 +308,7 @@ protected function handleResponse(ResponseInterface $response)
      *
      * @return array
      * @throws \ActualReports\PDFGeneratorAPI\Exception
+     * @throws \GuzzleHttp\Exception\GuzzleException
      */
     public function getAll(array $access = [], array $tags = [])
     {
@@ -297,6 +327,7 @@ public function getAll(array $access = [], array $tags = [])
      *
      * @return \stdClass
      * @throws \ActualReports\PDFGeneratorAPI\Exception
+     * @throws \GuzzleHttp\Exception\GuzzleException
      */
     public function get($template)
     {
@@ -310,6 +341,7 @@ public function get($template)
      *
      * @return \stdClass
      * @throws \ActualReports\PDFGeneratorAPI\Exception
+     * @throws \GuzzleHttp\Exception\GuzzleException
      */
     public function create($name)
     {
@@ -347,6 +379,7 @@ public function create($name)
      *
      * @return \stdClass
      * @throws \ActualReports\PDFGeneratorAPI\Exception
+     * @throws \GuzzleHttp\Exception\GuzzleException
      */
     public function copy($template, $newName = null)
     {
@@ -368,6 +401,7 @@ public function copy($template, $newName = null)
      *
      * @return \stdClass
      * @throws \ActualReports\PDFGeneratorAPI\Exception
+     * @throws \GuzzleHttp\Exception\GuzzleException
      */
     public function output($template, $data, $format = self::FORMAT_PDF, $name = null, array $params = [])
     {
@@ -390,13 +424,19 @@ public function output($template, $data, $format = self::FORMAT_PDF, $name = nul
      */
     public function editor($template, $data = null, array $params = [])
     {
+        $timestamp = time();
         $resource = 'templates/'.$template.'/editor';
         $params = array_merge([
             'key' => $this->key,
             'workspace' => $this->workspace,
-            'signature' => $this->createSignature($resource)
+            'signature' => $this->createSignature($resource, $timestamp)
         ], $params);
 
+        if ($this->useTimestamp)
+        {
+            $params['timestamp'] = $timestamp;
+        }
+
         if ($data)
         {
             $params['data'] = self::dataToString($data);
@@ -412,6 +452,7 @@ public function editor($template, $data = null, array $params = [])
      *
      * @return \stdClass
      * @throws \ActualReports\PDFGeneratorAPI\Exception
+     * @throws \GuzzleHttp\Exception\GuzzleException
      */
     public function delete($template)
     {

tests/Client.php

@@ -35,6 +35,22 @@ public function testGetTemplates()
         $this->assertTrue(count($result) > 10);
     }
 
+    public function testGetTemplatesWithTimestamp()
+    {
+        $this->client->setUseTimestamp(true);
+        $result = $this->client->getAll();
+        $this->client->setUseTimestamp(false);
+        $this->assertTrue(count($result) > 10);
+    }
+
+    public function testGetTemplatesWithExpiredTimestamp()
+    {
+        $this->expectException(Exception::class);
+        $this->client->request('GET', 'templates', [
+          'timestamp' => time() - 3601
+        ]);
+    }
+
     public function testGetTemplate()
     {
         $result = $this->client->get($this->templateId);