Refactor SettingsUpdatePassword and PasswordManager to improve password validation and ensure UUID integrity

https://github.com/nosial/Socialbox-PHP/issues/70
This commit is contained in:
netkas 2025-03-12 14:14:03 -04:00
parent 76a343a36d
commit 9c8945141c
Signed by: netkas
GPG key ID: 4D8629441B76E4CC
2 changed files with 11 additions and 15 deletions

View file

@ -3,11 +3,9 @@
namespace Socialbox\Classes\StandardMethods\Settings; namespace Socialbox\Classes\StandardMethods\Settings;
use Socialbox\Abstracts\Method; use Socialbox\Abstracts\Method;
use Socialbox\Classes\Cryptography;
use Socialbox\Enums\StandardError; use Socialbox\Enums\StandardError;
use Socialbox\Exceptions\CryptographyException; use Socialbox\Exceptions\CryptographyException;
use Socialbox\Exceptions\DatabaseOperationException; use Socialbox\Exceptions\DatabaseOperationException;
use Socialbox\Exceptions\Standard\InvalidRpcArgumentException;
use Socialbox\Exceptions\Standard\MissingRpcArgumentException; use Socialbox\Exceptions\Standard\MissingRpcArgumentException;
use Socialbox\Exceptions\Standard\StandardRpcException; use Socialbox\Exceptions\Standard\StandardRpcException;
use Socialbox\Interfaces\SerializableInterface; use Socialbox\Interfaces\SerializableInterface;
@ -26,22 +24,11 @@
{ {
throw new MissingRpcArgumentException('password'); throw new MissingRpcArgumentException('password');
} }
if(!Cryptography::validatePasswordHash($rpcRequest->getParameter('password')))
{
throw new InvalidRpcArgumentException('password', 'Must be a valid argon2id hash');
}
if(!$rpcRequest->containsParameter('existing_password')) if(!$rpcRequest->containsParameter('existing_password'))
{ {
throw new MissingRpcArgumentException('existing_password'); throw new MissingRpcArgumentException('existing_password');
} }
if(!Cryptography::validateSha512($rpcRequest->getParameter('existing_password')))
{
throw new InvalidRpcArgumentException('existing_password', 'Must be a valid SHA-512 hash');
}
try try
{ {
if (!PasswordManager::usesPassword($request->getPeer()->getUuid())) if (!PasswordManager::usesPassword($request->getPeer()->getUuid()))
@ -73,7 +60,7 @@
try try
{ {
// Set the password // Set the password
PasswordManager::updatePassword($request->getPeer(), $rpcRequest->getParameter('password')); PasswordManager::updatePassword($request->getPeer(), (string)$rpcRequest->getParameter('password'));
} }
catch(CryptographyException $e) catch(CryptographyException $e)
{ {

View file

@ -3,6 +3,7 @@
namespace Socialbox\Managers; namespace Socialbox\Managers;
use DateTime; use DateTime;
use InvalidArgumentException;
use PDO; use PDO;
use PDOException; use PDOException;
use Socialbox\Classes\Configuration; use Socialbox\Classes\Configuration;
@ -28,6 +29,10 @@
{ {
$peerUuid = $peerUuid->getUuid(); $peerUuid = $peerUuid->getUuid();
} }
elseif(!Validator::validateUuid($peerUuid))
{
throw new InvalidArgumentException('The given internal peer UUID is not a valid UUID V4');
}
try try
{ {
@ -97,10 +102,14 @@
{ {
$peerUuid = $peerUuid->getUuid(); $peerUuid = $peerUuid->getUuid();
} }
elseif(!Validator::validateUuid($peerUuid))
{
throw new CryptographyException('The given internal peer UUID is not a valid UUID V4');
}
if(!Cryptography::validatePasswordHash($hash)) if(!Cryptography::validatePasswordHash($hash))
{ {
throw new CryptographyException('Invalid password hash'); throw new CryptographyException('Invalid password argon2id hash');
} }
$encryptionKey = Configuration::getCryptographyConfiguration()->getRandomInternalEncryptionKey(); $encryptionKey = Configuration::getCryptographyConfiguration()->getRandomInternalEncryptionKey();