MD_STD/src/MD_STD_SEC.php

<?PHP
/**
 * Gathers wrappers for handling basic security operations.
 */
declare(strict_types = 1);

/**
 * Gathers wrappers for handling basic security operations.
 */
final class MD_STD_SEC {

    const REFRESH_TIME_GENERAL = 60; // Time until the comp. with the whole service is cleared.
    const REFRESH_TIME_USER = 600;   // Time until the comp. with the same username service is cleared.
    const REFRESH_TIME_IP = 180;     // Time until the comp. with the same IP is cleared. This should be lower than the user-level one, as people working together may be using a common IP.

    const BRUTE_FORCE_DELAY_DEFAULT = 2000; // 2000 microseconds = 2 milliseconds
    const BRUTE_FORCE_DELAY_MULTIPLIER_COMMON   = 1.08;
    const BRUTE_FORCE_DELAY_MULTIPLIER_PER_USER = 2.8;
    const BRUTE_FORCE_DELAY_MULTIPLIER_PER_IP = 2;

    /**
     * Function for retrieving the anti-csrf token or generating it if need be.
     *
     * @return string
     */
    public static function getAntiCsrfToken():string {

        if (empty($_SESSION['csrf-token'])) {
            $_SESSION['csrf-token'] = bin2hex(random_bytes(32));
        }

        return $_SESSION['csrf-token'];

    }

    /**
     * Function for validating anti-csrf tokens. Each anti-csrf token is removed
     * after use.
     *
     * @return boolean
     */
    public static function validateAntiCsrfToken():bool {

        $validity = false;
        if (!empty($_POST['csrf-token'])
            && !empty($_SESSION['csrf-token'])
            && hash_equals($_SESSION['csrf-token'], $_POST['csrf-token']) === true
        ) {
            $validity = true;
        }
        $_SESSION['csrf-token'] = null;
        unset($_SESSION['csrf-token']);

        return $validity;

    }

    /**
     * Prevent brute force attacks by delaying the login .
     *
     * @param string $tool_name Identifier of the login.
     * @param string $username  Username to look for.
     *
     * @return boolean
     */
    public static function preventBruteForce(string $tool_name, string $username):bool {

        // Unstable but working way to get the user's IP. If the IP is falsified,
        // this can't be found out anyway and security is established by _common.
        $ip = \filter_var($_SERVER['REMOTE_ADDR'] ?: ($_SERVER['HTTP_X_FORWARDED_FOR'] ?: $_SERVER['HTTP_CLIENT_IP']), \FILTER_VALIDATE_IP) ?: "Failed to find";

        // Set name of log file
        $logfile_common = \sys_get_temp_dir() . "/logins_{$tool_name}.json";

        // Ensure the log files exist
        if (!\file_exists($logfile_common)) {
            \file_put_contents($logfile_common, "[]");
        }

        // Hash entered username and IP to prevent malicious strings from
        // entering the system.
        $hash_user = \md5($username);
        $hash_ip   = \md5($ip);

        // Delete the log files if they are too old
        $loginLog = \json_decode(MD_STD::file_get_contents($logfile_common), \true) ?: [];

        // Ensure the counters exist and aren't old than 600 seconds / 10 minutes
        if (empty($loginLog['common']) || \time() - $loginLog['common']['time'] > self::REFRESH_TIME_GENERAL) {
            $loginLog['common'] = ["count" => 0, "time" => \time()];
        }
        if (empty($loginLog['usr'][$hash_user]) || \time() - $loginLog['usr'][$hash_user]['time'] > self::REFRESH_TIME_USER) {
            $loginLog['usr'][$hash_user] = ["count" => 0, "time" => \time()];
        }
        if (empty($loginLog['ip'][$hash_ip]) || \time() - $loginLog['ip'][$hash_ip]['time'] > self::REFRESH_TIME_IP) {
            $loginLog['ip'][$hash_ip] = ["count" => 0, "time" => \time()];
        }

        // Increase counters and update timers
        ++$loginLog['common']['count'];
        $loginLog['common']['time'] = \time();
        ++$loginLog['usr'][$hash_user]['count'];
        $loginLog['usr'][$hash_user]['time'] = \time();
        ++$loginLog['ip'][$hash_ip]['count'];
        $loginLog['ip'][$hash_ip]['time'] = \time();

        // Update the log file
        \file_put_contents($logfile_common, MD_STD::json_encode($loginLog));

        // Translate counters into delay multipliers
        $delay_multiplier_common = $loginLog['common']['count'];
        $delay_multiplier_per_user = $loginLog['usr'][$hash_user]['count'];
        $delay_multiplier_per_ip = $loginLog['ip'][$hash_ip]['count'];

        // Calculate delay
        $delay_micoseconds = \intval(self::BRUTE_FORCE_DELAY_DEFAULT *
            (self::BRUTE_FORCE_DELAY_MULTIPLIER_COMMON ** $delay_multiplier_common) *
            (self::BRUTE_FORCE_DELAY_MULTIPLIER_PER_USER ** $delay_multiplier_per_user) *
            (self::BRUTE_FORCE_DELAY_MULTIPLIER_PER_IP ** $delay_multiplier_per_ip));

        $max_execution_microseconds = \abs((int)\ini_get("max_execution_time")) * 1000000;

        // Sleep
        \usleep(min($delay_micoseconds, \abs($max_execution_microseconds - 1000000)));

        if ($delay_micoseconds > \abs($max_execution_microseconds - 1000000)) {
            return false;
        }

        return true;

    }

    /**
     * Send CSP headers.
     *
     * @param array{default-src: string, connect-src: string, script-src: string, img-src: string, media-src: string, style-src: string, frame-src: string, object-src: string, base-uri: string, form-action: string, frame-ancestors?: string} $directives      Directives to send. Font source is always set to 'self', and hence excluded.
     * @param string                                                                                                                                                                                                                             $frame_ancestors Frame ancestors directive. Default is to not set it.
     *
     * @return void
     */
    public static function sendContentSecurityPolicy(array $directives, string $frame_ancestors = ""):void {

        $policy = 'Content-Security-Policy: default-src ' . $directives['default-src'] . '; connect-src ' . $directives['connect-src'] . '; script-src ' . $directives['script-src'] . '; img-src ' . $directives['img-src'] . '; media-src ' . $directives['media-src'] . '; style-src ' . $directives['style-src'] . '; font-src \'self\'; frame-src ' . $directives['frame-src'] . '; object-src ' . $directives['object-src'] . '; base-uri ' . $directives['base-uri'] . '; form-action ' . $directives['form-action'] . '; manifest-src \'self\'; worker-src \'self\';';

        if (!empty($frame_ancestors)) {
            $policy .= ' frame-ancestors ' . $frame_ancestors . ';';
        }

        header($policy);

    }
}
Add class MD_STD_SEC for basic security operations 2020-11-08 19:34:57 +01:00			`<?PHP`
			`/**`
			`* Gathers wrappers for handling basic security operations.`
			`*/`
			`declare(strict_types = 1);`

			`/**`
Move scripts to /src subdirectory 2021-03-09 20:09:11 +01:00			`* Gathers wrappers for handling basic security operations.`
Add class MD_STD_SEC for basic security operations 2020-11-08 19:34:57 +01:00			`*/`
			`final class MD_STD_SEC {`
Remove superfluous parentheses 2021-09-17 15:52:37 +02:00
Move to rather locking down based on user accounts than on IP in MD_STD_SEC, use class constants for more obvious code 2021-11-25 01:09:08 +01:00			`const REFRESH_TIME_GENERAL = 60; // Time until the comp. with the whole service is cleared.`
			`const REFRESH_TIME_USER = 600; // Time until the comp. with the same username service is cleared.`
			`const REFRESH_TIME_IP = 180; // Time until the comp. with the same IP is cleared. This should be lower than the user-level one, as people working together may be using a common IP.`

Remove superfluous parentheses 2021-09-17 15:52:37 +02:00			`const BRUTE_FORCE_DELAY_DEFAULT = 2000; // 2000 microseconds = 2 milliseconds`
			`const BRUTE_FORCE_DELAY_MULTIPLIER_COMMON = 1.08;`
Move to rather locking down based on user accounts than on IP in MD_STD_SEC, use class constants for more obvious code 2021-11-25 01:09:08 +01:00			`const BRUTE_FORCE_DELAY_MULTIPLIER_PER_USER = 2.8;`
			`const BRUTE_FORCE_DELAY_MULTIPLIER_PER_IP = 2;`
Remove superfluous parentheses 2021-09-17 15:52:37 +02:00
Add class MD_STD_SEC for basic security operations 2020-11-08 19:34:57 +01:00			`/**`
			`* Function for retrieving the anti-csrf token or generating it if need be.`
			`*`
			`* @return string`
			`*/`
			`public static function getAntiCsrfToken():string {`

			`if (empty($_SESSION['csrf-token'])) {`
			`$_SESSION['csrf-token'] = bin2hex(random_bytes(32));`
			`}`

			`return $_SESSION['csrf-token'];`

			`}`

			`/**`
			`* Function for validating anti-csrf tokens. Each anti-csrf token is removed`
			`* after use.`
			`*`
			`* @return boolean`
			`*/`
			`public static function validateAntiCsrfToken():bool {`

			`$validity = false;`
			`if (!empty($_POST['csrf-token'])`
			`&& !empty($_SESSION['csrf-token'])`
			`&& hash_equals($_SESSION['csrf-token'], $_POST['csrf-token']) === true`
			`) {`
			`$validity = true;`
			`}`
Use new line for unsetting variable 2021-02-06 17:35:11 +01:00			`$_SESSION['csrf-token'] = null;`
			`unset($_SESSION['csrf-token']);`
Add class MD_STD_SEC for basic security operations 2020-11-08 19:34:57 +01:00
			`return $validity;`

			`}`

Add function to prevent brute force attacts 2020-11-17 23:55:50 +01:00			`/**`
			`* Prevent brute force attacks by delaying the login .`
			`*`
			`* @param string $tool_name Identifier of the login.`
			`* @param string $username Username to look for.`
			`*`
			`* @return boolean`
			`*/`
			`public static function preventBruteForce(string $tool_name, string $username):bool {`

			`// Unstable but working way to get the user's IP. If the IP is falsified,`
			`// this can't be found out anyway and security is established by _common.`
Move to rather locking down based on user accounts than on IP in MD_STD_SEC, use class constants for more obvious code 2021-11-25 01:09:08 +01:00			`$ip = \filter_var($_SERVER['REMOTE_ADDR'] ?: ($_SERVER['HTTP_X_FORWARDED_FOR'] ?: $_SERVER['HTTP_CLIENT_IP']), \FILTER_VALIDATE_IP) ?: "Failed to find";`
Add function to prevent brute force attacts 2020-11-17 23:55:50 +01:00
			`// Set name of log file`
			`$logfile_common = \sys_get_temp_dir() . "/logins_{$tool_name}.json";`

			`// Ensure the log files exist`
Remove inline if clauses 2021-02-06 20:08:37 +01:00			`if (!\file_exists($logfile_common)) {`
			`\file_put_contents($logfile_common, "[]");`
			`}`
Add function to prevent brute force attacts 2020-11-17 23:55:50 +01:00
			`// Hash entered username and IP to prevent malicious strings from`
			`// entering the system.`
			`$hash_user = \md5($username);`
			`$hash_ip = \md5($ip);`

			`// Delete the log files if they are too old`
			`$loginLog = \json_decode(MD_STD::file_get_contents($logfile_common), \true) ?: [];`

			`// Ensure the counters exist and aren't old than 600 seconds / 10 minutes`
Move to rather locking down based on user accounts than on IP in MD_STD_SEC, use class constants for more obvious code 2021-11-25 01:09:08 +01:00			`if (empty($loginLog['common']) \|\| \time() - $loginLog['common']['time'] > self::REFRESH_TIME_GENERAL) {`
Add function to prevent brute force attacts 2020-11-17 23:55:50 +01:00			`$loginLog['common'] = ["count" => 0, "time" => \time()];`
			`}`
Move to rather locking down based on user accounts than on IP in MD_STD_SEC, use class constants for more obvious code 2021-11-25 01:09:08 +01:00			`if (empty($loginLog['usr'][$hash_user]) \|\| \time() - $loginLog['usr'][$hash_user]['time'] > self::REFRESH_TIME_USER) {`
Add function to prevent brute force attacts 2020-11-17 23:55:50 +01:00			`$loginLog['usr'][$hash_user] = ["count" => 0, "time" => \time()];`
			`}`
Move to rather locking down based on user accounts than on IP in MD_STD_SEC, use class constants for more obvious code 2021-11-25 01:09:08 +01:00			`if (empty($loginLog['ip'][$hash_ip]) \|\| \time() - $loginLog['ip'][$hash_ip]['time'] > self::REFRESH_TIME_IP) {`
Add function to prevent brute force attacts 2020-11-17 23:55:50 +01:00			`$loginLog['ip'][$hash_ip] = ["count" => 0, "time" => \time()];`
			`}`

			`// Increase counters and update timers`
Use ++$i over $i++ This slightly improves performance. 2021-04-11 21:20:44 +02:00			`++$loginLog['common']['count'];`
Add function to prevent brute force attacts 2020-11-17 23:55:50 +01:00			`$loginLog['common']['time'] = \time();`
Use ++$i over $i++ This slightly improves performance. 2021-04-11 21:20:44 +02:00			`++$loginLog['usr'][$hash_user]['count'];`
Add function to prevent brute force attacts 2020-11-17 23:55:50 +01:00			`$loginLog['usr'][$hash_user]['time'] = \time();`
Use ++$i over $i++ This slightly improves performance. 2021-04-11 21:20:44 +02:00			`++$loginLog['ip'][$hash_ip]['count'];`
Add function to prevent brute force attacts 2020-11-17 23:55:50 +01:00			`$loginLog['ip'][$hash_ip]['time'] = \time();`

			`// Update the log file`
Use MD_STD::json_encode over the generic json_encode 2021-07-20 18:25:34 +02:00			`\file_put_contents($logfile_common, MD_STD::json_encode($loginLog));`
Add function to prevent brute force attacts 2020-11-17 23:55:50 +01:00
			`// Translate counters into delay multipliers`
			`$delay_multiplier_common = $loginLog['common']['count'];`
			`$delay_multiplier_per_user = $loginLog['usr'][$hash_user]['count'];`
Fix reference to incorrect array part in MD_STD_SEC's brute force protection 2020-11-22 14:18:08 +01:00			`$delay_multiplier_per_ip = $loginLog['ip'][$hash_ip]['count'];`
Add function to prevent brute force attacts 2020-11-17 23:55:50 +01:00
			`// Calculate delay`
			`$delay_micoseconds = \intval(self::BRUTE_FORCE_DELAY_DEFAULT *`
			`(self::BRUTE_FORCE_DELAY_MULTIPLIER_COMMON ** $delay_multiplier_common) *`
			`(self::BRUTE_FORCE_DELAY_MULTIPLIER_PER_USER ** $delay_multiplier_per_user) *`
			`(self::BRUTE_FORCE_DELAY_MULTIPLIER_PER_IP ** $delay_multiplier_per_ip));`

			`$max_execution_microseconds = \abs((int)\ini_get("max_execution_time")) * 1000000;`

			`// Sleep`
			`\usleep(min($delay_micoseconds, \abs($max_execution_microseconds - 1000000)));`

			`if ($delay_micoseconds > \abs($max_execution_microseconds - 1000000)) {`
			`return false;`
			`}`

			`return true;`

			`}`
Add function for sending complete CSP headers 2020-11-22 17:45:07 +01:00
			`/**`
			`* Send CSP headers.`
			`*`
Add option to set frame-ancestors CSP 2020-11-22 23:27:54 +01:00			`* @param array{default-src: string, connect-src: string, script-src: string, img-src: string, media-src: string, style-src: string, frame-src: string, object-src: string, base-uri: string, form-action: string, frame-ancestors?: string} $directives Directives to send. Font source is always set to 'self', and hence excluded.`
			`* @param string $frame_ancestors Frame ancestors directive. Default is to not set it.`
Add function for sending complete CSP headers 2020-11-22 17:45:07 +01:00			`*`
			`* @return void`
			`*/`
Add option to set frame-ancestors CSP 2020-11-22 23:27:54 +01:00			`public static function sendContentSecurityPolicy(array $directives, string $frame_ancestors = ""):void {`
Add function for sending complete CSP headers 2020-11-22 17:45:07 +01:00
Set worker-src 'self' in MD_STD_SEC 2021-05-15 17:17:53 +02:00			$policy = 'Content-Security-Policy: default-src ' . $directives['default-src'] . '; connect-src ' . $directives['connect-src'] . '; script-src ' . $directives['script-src'] . '; img-src ' . $directives['img-src'] . '; media-src ' . $directives['media-src'] . '; style-src ' . $directives['style-src'] . '; font-src \'self\'; frame-src ' . $directives['frame-src'] . '; object-src ' . $directives['object-src'] . '; base-uri ' . $directives['base-uri'] . '; form-action ' . $directives['form-action'] . '; manifest-src \'self\'; worker-src \'self\';';
Add option to set frame-ancestors CSP 2020-11-22 23:27:54 +01:00
			`if (!empty($frame_ancestors)) {`
			`$policy .= ' frame-ancestors ' . $frame_ancestors . ';';`
			`}`

			`header($policy);`
Add function for sending complete CSP headers 2020-11-22 17:45:07 +01:00
			`}`
Add class MD_STD_SEC for basic security operations 2020-11-08 19:34:57 +01:00			`}`