Refactor Security class

Author: paulbalandan

rector.php

@@ -149,7 +149,6 @@
             __DIR__ . '/system/HTTP/CURLRequest.php',
             __DIR__ . '/system/HTTP/DownloadResponse.php',
             __DIR__ . '/system/HTTP/IncomingRequest.php',
-            __DIR__ . '/system/Security/Security.php',
             __DIR__ . '/system/Session/Session.php',
         ],
 

system/Security/Security.php

@@ -21,10 +21,9 @@
 use CodeIgniter\HTTP\RequestInterface;
 use CodeIgniter\I18n\Time;
 use CodeIgniter\Security\Exceptions\SecurityException;
-use CodeIgniter\Session\Session;
+use CodeIgniter\Session\SessionInterface;
 use Config\Cookie as CookieConfig;
 use Config\Security as SecurityConfig;
-use ErrorException;
 use JsonException;
 use SensitiveParameter;
 
@@ -38,7 +37,16 @@ class Security implements SecurityInterface
 {
     public const CSRF_PROTECTION_COOKIE  = 'cookie';
     public const CSRF_PROTECTION_SESSION = 'session';
-    protected const CSRF_HASH_BYTES      = 16;
+
+    /**
+     * CSRF hash length in bytes.
+     */
+    protected const CSRF_HASH_BYTES = 16;
+
+    /**
+     * CSRF hash length in hexadecimal characters.
+     */
+    protected const CSRF_HASH_HEX = self::CSRF_HASH_BYTES * 2;
 
     /**
      * CSRF Hash (without randomization)
@@ -51,6 +59,8 @@ class Security implements SecurityInterface
 
     /**
      * @var Cookie
+     *
+     * @deprecated v4.8.0 Use service('response')->getCookie() instead.
      */
     protected $cookie;
 
@@ -63,17 +73,12 @@ class Security implements SecurityInterface
      */
     protected $cookieName = 'csrf_cookie_name';
 
-    private readonly IncomingRequest $request;
-
     /**
      * CSRF Cookie Name without Prefix
      */
     private ?string $rawCookieName = null;
 
-    /**
-     * Session instance.
-     */
-    private ?Session $session = null;
+    private ?SessionInterface $session = null;
 
     /**
      * CSRF Hash in Request Cookie
@@ -83,25 +88,17 @@ class Security implements SecurityInterface
      */
     private ?string $hashInCookie = null;
 
-    protected SecurityConfig $config;
-
-    public function __construct(SecurityConfig $config)
+    public function __construct(protected SecurityConfig $config)
     {
-        $this->config = $config;
-
         $this->rawCookieName = $config->cookieName;
 
-        if ($this->isCSRFCookie()) {
-            $cookie = config(CookieConfig::class);
-
-            $this->configureCookie($cookie);
+        if ($this->isCsrfCookie()) {
+            $this->configureCookie(config(CookieConfig::class));
         } else {
-            // Session based CSRF protection
             $this->configureSession();
         }
 
-        $this->request      = service('request');
-        $this->hashInCookie = $this->request->getCookie($this->cookieName);
+        $this->hashInCookie = service('request')->getCookie($this->cookieName);
 
         $this->restoreHash();
 
@@ -148,7 +145,9 @@ public function verify(RequestInterface $request): static
 
     public function getHash(): ?string
     {
-        return $this->config->tokenRandomize ? $this->randomize($this->hash) : $this->hash;
+        return $this->config->tokenRandomize && isset($this->hash)
+            ? $this->randomize($this->hash)
+            : $this->hash;
     }
 
     public function getTokenName(): string
@@ -171,14 +170,16 @@ public function shouldRedirect(): bool
         return $this->config->redirect;
     }
 
+    /**
+     * @phpstan-assert string $this->hash
+     */
     public function generateHash(): string
     {
         $this->hash = bin2hex(random_bytes(static::CSRF_HASH_BYTES));
 
-        if ($this->isCSRFCookie()) {
+        if ($this->isCsrfCookie()) {
             $this->saveHashInCookie();
         } else {
-            // Session based CSRF protection
             $this->saveHashInSession();
         }
 
@@ -207,30 +208,39 @@ protected function randomize(string $hash): string
      */
     protected function derandomize(#[SensitiveParameter] string $token): string
     {
-        $key   = substr($token, -static::CSRF_HASH_BYTES * 2);
-        $value = substr($token, 0, static::CSRF_HASH_BYTES * 2);
+        // The token should be in the format of `randomizedHash` + `key`,
+        // where both `randomizedHash` and `key` are hex strings of length CSRF_HASH_HEX.
+        if (strlen($token) !== self::CSRF_HASH_HEX * 2) {
+            throw new InvalidArgumentException('Invalid CSRF token.');
+        }
 
-        try {
-            return bin2hex((string) hex2bin($value) ^ (string) hex2bin($key));
-        } catch (ErrorException $e) {
-            throw new InvalidArgumentException($e->getMessage(), $e->getCode(), $e);
+        $keyBinary  = hex2bin(substr($token, -self::CSRF_HASH_HEX));
+        $hashBinary = hex2bin(substr($token, 0, self::CSRF_HASH_HEX));
+
+        if ($hashBinary === false || $keyBinary === false) {
+            throw new InvalidArgumentException('Invalid CSRF token.');
         }
+
+        return bin2hex($hashBinary ^ $keyBinary);
     }
 
-    private function isCSRFCookie(): bool
+    private function isCsrfCookie(): bool
     {
         return $this->config->csrfProtection === self::CSRF_PROTECTION_COOKIE;
     }
 
+    /**
+     * @phpstan-assert SessionInterface $this->session
+     */
     private function configureSession(): void
     {
         $this->session = service('session');
     }
 
     private function configureCookie(CookieConfig $cookie): void
     {
-        $cookiePrefix     = $cookie->prefix;
-        $this->cookieName = $cookiePrefix . $this->rawCookieName;
+        $this->cookieName = $cookie->prefix . $this->rawCookieName;
+
         Cookie::setDefaults($cookie);
     }
 
@@ -343,13 +353,16 @@ private function isNonEmptyTokenString(mixed $token): bool
      */
     private function restoreHash(): void
     {
-        if ($this->isCSRFCookie()) {
-            if ($this->isHashInCookie()) {
-                $this->hash = $this->hashInCookie;
-            }
-        } elseif ($this->session->has($this->config->tokenName)) {
-            // Session based CSRF protection
-            $this->hash = $this->session->get($this->config->tokenName);
+        if ($this->isCsrfCookie()) {
+            $this->hash = $this->isHashInCookie() ? $this->hashInCookie : null;
+
+            return;
+        }
+
+        $tokenName = $this->config->tokenName;
+
+        if ($this->session instanceof SessionInterface && $this->session->has($tokenName)) {
+            $this->hash = $this->session->get($tokenName);
         }
     }
 
@@ -359,28 +372,33 @@ private function isHashInCookie(): bool
             return false;
         }
 
-        $length  = static::CSRF_HASH_BYTES * 2;
-        $pattern = '#^[0-9a-f]{' . $length . '}$#iS';
+        if (strlen($this->hashInCookie) !== self::CSRF_HASH_HEX) {
+            return false;
+        }
 
-        return preg_match($pattern, $this->hashInCookie) === 1;
+        return ctype_xdigit($this->hashInCookie);
     }
 
     private function saveHashInCookie(): void
     {
-        $this->cookie = new Cookie(
+        $expires = $this->config->expires === 0 ? 0 : Time::now()->getTimestamp() + $this->config->expires;
+
+        $cookie = new Cookie(
             $this->rawCookieName,
             $this->hash,
-            [
-                'expires' => $this->config->expires === 0 ? 0 : Time::now()->getTimestamp() + $this->config->expires,
-            ],
+            compact('expires'),
         );
 
-        $response = service('response');
-        $response->setCookie($this->cookie);
+        service('response')->setCookie($cookie);
+
+        // For backward compatibility, we also set the cookie value to $this->cookie property.
+        // @todo v4.8.0 Remove $this->cookie property and its usages.
+        $this->cookie = $cookie;
     }
 
     private function saveHashInSession(): void
     {
+        assert($this->session instanceof SessionInterface);
         $this->session->set($this->config->tokenName, $this->hash);
     }
 }

tests/system/Security/SecurityCSRFCookieRandomizeTokenTest.php

@@ -15,7 +15,6 @@
 
 use CodeIgniter\Config\Factories;
 use CodeIgniter\Config\Services;
-use CodeIgniter\Cookie\Cookie;
 use CodeIgniter\HTTP\IncomingRequest;
 use CodeIgniter\HTTP\SiteURI;
 use CodeIgniter\HTTP\UserAgent;
@@ -32,66 +31,59 @@
 #[Group('Others')]
 final class SecurityCSRFCookieRandomizeTokenTest extends CIUnitTestCase
 {
-    /**
-     * @var string CSRF protection hash
-     */
-    private string $hash = '8b9218a55906f9dcc1dc263dce7f005a';
-
-    /**
-     * @var string CSRF randomized token
-     */
-    private string $randomizedToken = '8bc70b67c91494e815c7d2219c1ae0ab005513c290126d34d41bf41c5265e0f1';
-
-    private SecurityConfig $config;
+    private const CSRF_PROTECTION_HASH  = '8b9218a55906f9dcc1dc263dce7f005a';
+    private const CSRF_RANDOMIZED_TOKEN = '8bc70b67c91494e815c7d2219c1ae0ab005513c290126d34d41bf41c5265e0f1';
 
     protected function setUp(): void
     {
         parent::setUp();
 
-        Services::injectMock('superglobals', new Superglobals(null, null, null, []));
+        Services::injectMock('superglobals', new Superglobals(post: [], cookie: []));
+
+        $config                 = new SecurityConfig();
+        $config->csrfProtection = Security::CSRF_PROTECTION_COOKIE;
+        $config->tokenRandomize = true;
+        Factories::injectMock('config', 'Security', $config);
+
+        $security = new MockSecurity($config);
+        service('superglobals')->setCookie($security->getCookieName(), self::CSRF_PROTECTION_HASH);
 
-        $this->config                 = new SecurityConfig();
-        $this->config->csrfProtection = Security::CSRF_PROTECTION_COOKIE;
-        $this->config->tokenRandomize = true;
-        Factories::injectMock('config', 'Security', $this->config);
+        $this->resetServices();
+    }
 
-        // Set Cookie value
-        $security = new MockSecurity($this->config);
-        service('superglobals')->setCookie($security->getCookieName(), $this->hash);
+    protected function tearDown(): void
+    {
+        parent::tearDown();
 
         $this->resetServices();
+        Factories::reset('config');
     }
 
     public function testTokenIsReadFromCookie(): void
     {
-        $security = new MockSecurity($this->config);
+        $security = new MockSecurity(config('Security'));
 
-        $this->assertSame(
-            $this->randomizedToken,
-            $security->getHash(),
-        );
+        $this->assertSame(self::CSRF_RANDOMIZED_TOKEN, $security->getHash());
     }
 
-    public function testCSRFVerifySetNewCookie(): void
+    public function testCsrfVerifySetNewCookie(): void
     {
-        service('superglobals')->setServer('REQUEST_METHOD', 'POST');
-        service('superglobals')->setPost('foo', 'bar');
-        service('superglobals')->setPost('csrf_test_name', $this->randomizedToken);
+        service('superglobals')
+            ->setServer('REQUEST_METHOD', 'POST')
+            ->setPost('foo', 'bar')
+            ->setPost('csrf_test_name', self::CSRF_RANDOMIZED_TOKEN);
 
         $config  = new MockAppConfig();
         $request = new IncomingRequest($config, new SiteURI($config), null, new UserAgent());
 
-        $security = new Security($this->config);
+        $security = new Security(config('Security'));
 
         $this->assertInstanceOf(Security::class, $security->verify($request));
         $this->assertLogged('info', 'CSRF token verified.');
-        $this->assertCount(1, service('superglobals')->getPostArray());
-
-        /** @var Cookie $cookie */
-        $cookie  = $this->getPrivateProperty($security, 'cookie');
-        $newHash = $cookie->getValue();
+        $this->assertSame(['foo' => 'bar'], service('superglobals')->getPostArray());
 
-        $this->assertNotSame($this->hash, $newHash);
-        $this->assertSame(32, strlen($newHash));
+        $cookieHash = service('response')->getCookie($security->getCookieName())->getValue();
+        $this->assertNotSame(self::CSRF_PROTECTION_HASH, $cookieHash);
+        $this->assertSame(32, strlen($cookieHash));
     }
 }

user_guide_src/source/changelogs/v4.8.0.rst

@@ -26,7 +26,8 @@ Behavior Changes
 Interface Changes
 =================
 
-**NOTE:** If you've implemented your own classes that implement these interfaces from scratch, you will need to update your implementations to include the new methods to ensure compatibility.
+**NOTE:** If you've implemented your own classes that implement these interfaces from scratch, you will need to
+        update your implementations to include the new methods or method changes to ensure compatibility.
 
 - **Security:** The ``SecurityInterface``'s ``verify()`` method now has a native return type of ``static``.