search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Localisation updates from https://translatewiki.net.
[mediawiki.git] / includes / session / Token.php
blob7a36ce5ceb2f3ed75615217c13e6d837b38783c4
1 <?php
2 /**
3 * MediaWiki session token
4 *
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License as published by
7 * the Free Software Foundation; either version 2 of the License, or
8 * (at your option) any later version.
9 *
10 * This program is distributed in the hope that it will be useful,
11 * but WITHOUT ANY WARRANTY; without even the implied warranty of
12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 * GNU General Public License for more details.
14 *
15 * You should have received a copy of the GNU General Public License along
16 * with this program; if not, write to the Free Software Foundation, Inc.,
17 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
18 * http://www.gnu.org/copyleft/gpl.html
19 *
20 * @file
21 * @ingroup Session
22 */
23
24 namespace MediaWiki\Session;
25
26 use Stringable;
27
28 /**
29 * Value object representing a CSRF token
30 *
31 * @ingroup Session
32 * @since 1.27
33 */
34 class Token implements Stringable {
35 /** CSRF token suffix. Plus and terminal backslash are included to stop
36 * editing from certain broken proxies.
37 */
38 public const SUFFIX = '+\\';
39
40 /** @var string */
41 private $secret;
42
43 /** @var string */
44 private $salt;
45
46 /** @var bool */
47 private $new;
48
49 /**
50 * @param string $secret Token secret
51 * @param string $salt Token salt
52 * @param bool $new Whether the secret was newly-created
53 */
54 public function __construct( $secret, $salt, $new = false ) {
55 $this->secret = $secret;
56 $this->salt = $salt;
57 $this->new = $new;
58 }
59
60 /**
61 * Decode the timestamp from a token string
62 *
63 * Does not validate the token beyond the syntactic checks necessary to
64 * be able to extract the timestamp.
65 *
66 * @param string $token
67 * @return int|null
68 */
69 public static function getTimestamp( $token ) {
70 $suffixLen = strlen( self::SUFFIX );
71 $len = strlen( $token );
72 if ( $len <= 32 + $suffixLen ||
73 substr( $token, -$suffixLen ) !== self::SUFFIX ||
74 strspn( $token, '0123456789abcdef' ) + $suffixLen !== $len
75 ) {
76 return null;
77 }
78
79 return hexdec( substr( $token, 32, -$suffixLen ) );
80 }
81
82 /**
83 * Get the string representation of the token at a timestamp
84 * @param int $timestamp
85 * @return string
86 */
87 protected function toStringAtTimestamp( $timestamp ) {
88 return hash_hmac( 'md5', $timestamp . $this->salt, $this->secret, false ) .
89 dechex( $timestamp ) .
90 self::SUFFIX;
91 }
92
93 /**
94 * Get the string representation of the token
95 * @return string
96 */
97 public function toString() {
98 return $this->toStringAtTimestamp( (int)wfTimestamp( TS_UNIX ) );
99 }
100
101 public function __toString() {
102 return $this->toString();
103 }
104
105 /**
106 * Test if the token-string matches this token
107 * @param string|null $userToken
108 * @param int|null $maxAge Return false if $userToken is older than this many seconds
109 * @return bool
110 */
111 public function match( $userToken, $maxAge = null ) {
112 if ( !$userToken ) {
113 return false;
114 }
115 $timestamp = self::getTimestamp( $userToken );
116 if ( $timestamp === null ) {
117 return false;
118 }
119 if ( $maxAge !== null && $timestamp < (int)wfTimestamp( TS_UNIX ) - $maxAge ) {
120 // Expired token
121 return false;
122 }
123
124 $sessionToken = $this->toStringAtTimestamp( $timestamp );
125 return hash_equals( $sessionToken, $userToken );
126 }
127
128 /**
129 * Indicate whether this token was just created
130 * @return bool
131 */
132 public function wasNew() {
133 return $this->new;
134 }
135
136 }
MediaWiki Core