turnstile

PaivanaCookie.php (3578B)

---

 <?php
 
 /**
  * @file
  * Helper for the Turnstile Paivana access cookie.
  */
 
 namespace Drupal\taler_turnstile;
 
 use Drupal\Core\PrivateKey;
 use Symfony\Component\HttpFoundation\Cookie;
 use Symfony\Component\HttpFoundation\Request;
 
 /**
  * Mints and verifies the cookie that grants access to a previously
  * paid-for fulfillment URL. The cookie is bound to the visitor's IP
  * address and the fulfillment URL, and carries its own expiration in
  * its prefix:
  *
  *   value := <cur_time>-<base64url(HMAC-SHA256(secret, cur_time||url||ip))>
  *
  * Mirrors the paivana-httpd implementation but uses HMAC-SHA256 with
  * Drupal's private_key as keying material so we do not need a new
  * config storage for a server-side secret.
  */
 class PaivanaCookie {
 
   /**
    * Cookie name; must match the constant exported from the .module file.
    */
   const COOKIE_NAME = 'taler_turnstile_paivana';
 
   /**
    * @var \Drupal\Core\PrivateKey
    */
   protected $privateKey;
 
   public function __construct(PrivateKey $private_key) {
     $this->privateKey = $private_key;
   }
 
 
   /**
    * Compute the keyed hash for ($cur_time, $website, $client_addr).
    * Returned as URL-safe base64 without padding.
    */
   protected function hash(int $cur_time, string $website, string $client_addr): string {
     $msg = pack('NN', 0, $cur_time) . $website . "\0" . $client_addr;
     $raw = hash_hmac('sha256', $msg, $this->privateKey->get(), TRUE);
     return rtrim(strtr(base64_encode($raw), '+/', '-_'), '=');
   }
 
 
   /**
    * Build a cookie carrying access for $website, valid until
    * now + $lifetime_seconds. Cookie is bound to the request's
    * client address.
    *
    * The cookie's Path attribute is scoped to the website's URL path,
    * so it is only sent back when the browser visits exactly that
    * resource. This mirrors paivana-httpd's default (per-URL cookie):
    * other paywalled pages on the same host get their own cookie and
    * cannot piggy-back on this one. As a side effect, it also keeps
    * the cookie out of unrelated requests, so the page cache for
    * other URLs stays warm.
    *
    * @return \Symfony\Component\HttpFoundation\Cookie
    */
   public function mint(Request $request, string $website, int $lifetime_seconds): Cookie {
     $expires = time() + $lifetime_seconds;
     $client_addr = $request->getClientIp() ?? '';
     $value = $expires . '-' . $this->hash($expires, $website, $client_addr);
     $path = parse_url($website, PHP_URL_PATH);
     if (! is_string($path) || $path === '') {
       $path = '/';
     }
     return Cookie::create(
       self::COOKIE_NAME,
       $value,
       $expires,
       $path,
       NULL,
       $request->isSecure(),
       TRUE,
       FALSE,
       Cookie::SAMESITE_LAX
     );
   }
 
 
   /**
    * Check whether the request carries a valid Turnstile cookie for
    * $website. Returns TRUE only if the cookie's MAC matches and its
    * timestamp is still in the future.
    */
   public function verify(Request $request, string $website): bool {
     $value = $request->cookies->get(self::COOKIE_NAME);
     if (! is_string($value) || $value === '') {
       return FALSE;
     }
     $dash = strpos($value, '-');
     if ($dash === FALSE) {
       return FALSE;
     }
     $ts_part = substr($value, 0, $dash);
     $mac_part = substr($value, $dash + 1);
     if (! ctype_digit($ts_part)) {
       return FALSE;
     }
     $ts = (int) $ts_part;
     if ($ts <= time()) {
       return FALSE;
     }
     $client_addr = $request->getClientIp() ?? '';
     $expected = $this->hash($ts, $website, $client_addr);
     return hash_equals($expected, $mac_part);
   }
 
 }