Added CSRF check in weatherdata API

jumpapp/classes/Config.php

@@ -42,9 +42,18 @@ class Config {
         'noindex'
     ];
 
+    /**
+     * Session config params.
+     */
+    private const CONFIG_SESSION = [
+        'sessionname' => 'JUMP',
+        'sessiontimeout' => '10 minutes'
+    ];
+
     public function __construct() {
         $this->config = new \PHLAK\Config\Config(__DIR__.'/../config.php');
         $this->add_wwwroot_to_base_paths();
+        $this->add_session_config();
         if ($this->config_params_missing()) {
             throw new Exception('Config.php must always contain... '.implode(', ', self::CONFIG_PARAMS));
         }
@@ -63,6 +72,11 @@ class Config {
         }
     }
 
+    private function add_session_config(): void {
+        foreach(self::CONFIG_SESSION as $key => $value) {
+            $this->config->set($key, $value);
+        }
+    }
     /**
      * Determine if any configuration params are missing in the list loaded
      * from the config.php.

jumpapp/classes/Main.php

@@ -14,6 +14,8 @@ class Main {
 
     private Cache $cache;
     private Config $config;
+    private \Nette\Http\Request $request;
+    private \Nette\Http\Session $session;
 
     public function __construct() {
         $this->config = new Config();
@@ -27,10 +29,24 @@ class Main {
     }
 
     function init() {
+        // Create a request object based on globals so we can utilise url rewriting etc.
+        $this->request = (new \Nette\Http\RequestFactory)->fromGlobals();
+
+        // Initialise a new session using the request object.
+        $this->session = new \Nette\Http\Session($this->request, new \Nette\Http\Response);
+        $this->session->setName($this->config->get('sessionname'));
+        $this->session->setExpiration($this->config->get('sessiontimeout'));
+
+        // Get a Nette session section for CSRF data.
+        $csrfsection = $this->session->getSection('csrf');
+
+        // Create a new CSRF token within the section if one doesn't exist already.
+        if (!$csrfsection->offsetExists('token')){
+            $csrfsection->set('token', bin2hex(random_bytes(32)));
+        }
+
         // Try to match the correct route based on the HTTP request.
-        $matchedroute = $this->router->match(
-            (new \Nette\Http\RequestFactory)->fromGlobals()
-        );
+        $matchedroute = $this->router->match($this->request);
 
         // If we do not have a matched route then just serve up the home page.
         $pageclass = $matchedroute['class'] ?? 'Jump\Pages\HomePage';
@@ -38,7 +54,7 @@ class Main {
 
         // Instantiate the correct class to build the requested page, get the
         // content and return it.
-        $page = new $pageclass($this->config, $this->cache, $param ?? null);
+        $page = new $pageclass($this->config, $this->cache, $this->session, $param ?? null);
         return $page->get_output();
     }
 

jumpapp/classes/Pages/AbstractPage.php

@@ -14,7 +14,12 @@ abstract class AbstractPage {
      * @param \Jump\Cache $cache
      * @param string|null $generic param, passed from router.
      */
-    public function __construct(protected \Jump\Config $config, protected \Jump\Cache $cache, protected ?string $param = null) {
+    public function __construct(
+        protected \Jump\Config $config,
+        protected \Jump\Cache $cache,
+        protected \Nette\Http\Session $session,
+        protected ?string $param = null
+    ){
         $this->hastags = false;
         $this->mustache = new \Mustache_Engine([
             'loader' => new \Mustache_Loader_FilesystemLoader($this->config->get('templatedir')),

jumpapp/classes/Pages/HomePage.php

@@ -10,7 +10,9 @@ class HomePage extends AbstractPage {
         if (!$this->config->parse_bool($this->config->get('showgreeting'))) {
             $greeting = 'home';
         }
+        $csrfsection = $this->session->getSection('csrf');
         return $template->render([
+            'csrftoken' => $csrfsection->get('token'),
             'greeting' => $greeting,
             'noindex' => $this->config->parse_bool($this->config->get('noindex')),
             'title' => $this->config->get('sitename'),

jumpapp/classes/Pages/TagPage.php

@@ -10,7 +10,9 @@ class TagPage extends AbstractPage {
         $template = $this->mustache->loadTemplate('header');
         $greeting = $this->param;
         $title = 'Tag: '.$this->param;
+        $csrfsection = $this->session->getSection('csrf');
         return $template->render([
+            'csrftoken' => $csrfsection->get('token'),
             'greeting' => $greeting,
             'noindex' => $this->config->parse_bool($this->config->get('noindex')),
             'title' => $title,