Clean code
This commit is contained in:
julien
@@ -7,46 +7,51 @@ abstract class BaseController
|
||||
protected Base $f3;
|
||||
protected DB\SQL $db;
|
||||
|
||||
private ?array $resolvedUser = null;
|
||||
private bool $userResolved = false;
|
||||
|
||||
public function __construct()
|
||||
{
|
||||
$this->f3 = Base::instance();
|
||||
$this->db = $this->f3->get('DB');
|
||||
}
|
||||
|
||||
protected function renderPublic(string $view, array $data = []): void
|
||||
protected function render(string $view, array $data = [], int $cacheTtl = 0): void
|
||||
{
|
||||
$user = $this->currentUser();
|
||||
|
||||
$this->f3->mset($data + [
|
||||
'view' => $view,
|
||||
'currentUser' => $user,
|
||||
'flash' => array_key_exists('flash', $data) && is_array($data['flash']) ? $data['flash'] : null,
|
||||
'csrfToken' => $user !== null ? $this->csrfToken() : null,
|
||||
]);
|
||||
// Les pages publiques émettent un Cache-Control avec le TTL demandé.
|
||||
// Un utilisateur connecté voit un état de session (nav, CSRF) :
|
||||
// on force expire(0) pour ne pas servir ce rendu à d'autres visiteurs.
|
||||
$this->f3->expire($user !== null ? 0 : $cacheTtl);
|
||||
|
||||
echo Template::instance()->render('layout.html');
|
||||
}
|
||||
|
||||
protected function renderSession(string $view, array $data = [], bool $withCsrf = false): void
|
||||
{
|
||||
$flash = array_key_exists('flash', $data) && is_array($data['flash'])
|
||||
? $data['flash']
|
||||
: $this->pullFlash();
|
||||
|
||||
$this->f3->mset($data + [
|
||||
'view' => $view,
|
||||
'currentUser' => $this->currentUser(),
|
||||
'currentUser' => $user,
|
||||
'flash' => $flash,
|
||||
'csrfToken' => $withCsrf ? $this->csrfToken() : null,
|
||||
'metaDescription' => null,
|
||||
]);
|
||||
|
||||
// Persister le jeton CSRF courant en session : le formulaire
|
||||
// affiche @CSRF (jeton de cette requête) ; à la soumission,
|
||||
// verifyCsrf() le comparera à SESSION.csrf.
|
||||
$this->f3->copy('CSRF', 'SESSION.csrf');
|
||||
echo Template::instance()->render('layout.html');
|
||||
}
|
||||
|
||||
protected function currentUser(): ?array
|
||||
{
|
||||
$userId = (int) ($this->f3->get('SESSION.user_id') ?? 0);
|
||||
return $userId > 0 ? (new User($this->db))->findById($userId) : null;
|
||||
if (!$this->userResolved) {
|
||||
$userId = (int) ($this->f3->get('SESSION.user_id') ?? 0);
|
||||
$this->resolvedUser = $userId > 0 ? (new User($this->db))->findById($userId) : null;
|
||||
$this->userResolved = true;
|
||||
}
|
||||
|
||||
return $this->resolvedUser;
|
||||
}
|
||||
|
||||
protected function requireAuth(): void
|
||||
@@ -59,33 +64,14 @@ abstract class BaseController
|
||||
$this->f3->reroute('@login');
|
||||
}
|
||||
|
||||
protected function disableCache(): void
|
||||
{
|
||||
$this->f3->expire(0);
|
||||
}
|
||||
|
||||
protected function csrfToken(): string
|
||||
{
|
||||
$token = (string) ($this->f3->get('SESSION.csrf_token') ?? '');
|
||||
if ($token === '') {
|
||||
$token = bin2hex(random_bytes(32));
|
||||
$this->f3->set('SESSION.csrf_token', $token);
|
||||
}
|
||||
|
||||
return $token;
|
||||
}
|
||||
|
||||
protected function refreshCsrfToken(): string
|
||||
{
|
||||
$token = bin2hex(random_bytes(32));
|
||||
$this->f3->set('SESSION.csrf_token', $token);
|
||||
return $token;
|
||||
}
|
||||
|
||||
// Le jeton CSRF est fourni par la classe Session de F3
|
||||
// (clé de ruche « CSRF », copiée en SESSION.csrf à chaque requête).
|
||||
// Le formulaire envoie le jeton affiché lors du GET précédent,
|
||||
// qu'on compare au jeton sauvegardé en session.
|
||||
protected function verifyCsrf(): void
|
||||
{
|
||||
$submitted = (string) ($this->f3->get('POST.csrf_token') ?? '');
|
||||
$expected = (string) ($this->f3->get('SESSION.csrf_token') ?? '');
|
||||
$expected = (string) ($this->f3->get('SESSION.csrf') ?? '');
|
||||
|
||||
if ($submitted !== '' && $expected !== '' && hash_equals($expected, $submitted)) {
|
||||
return;
|
||||
|
||||
Reference in New Issue
Block a user