Code Coverage |
||||||||||
Lines |
Functions and Methods |
Classes and Traits |
||||||||
| Total | |
0.00% |
0 / 100 |
|
0.00% |
0 / 9 |
CRAP | |
0.00% |
0 / 1 |
| webpush | |
0.00% |
0 / 100 |
|
0.00% |
0 / 9 |
600 | |
0.00% |
0 / 1 |
| __construct | |
0.00% |
0 / 10 |
|
0.00% |
0 / 1 |
2 | |||
| notification | |
0.00% |
0 / 8 |
|
0.00% |
0 / 1 |
42 | |||
| get_user_notifications | |
0.00% |
0 / 13 |
|
0.00% |
0 / 1 |
6 | |||
| get_anonymous_notifications | |
0.00% |
0 / 25 |
|
0.00% |
0 / 1 |
12 | |||
| worker | |
0.00% |
0 / 9 |
|
0.00% |
0 / 1 |
6 | |||
| get_subscribe_vars | |
0.00% |
0 / 5 |
|
0.00% |
0 / 1 |
2 | |||
| check_subscribe_requests | |
0.00% |
0 / 5 |
|
0.00% |
0 / 1 |
56 | |||
| subscribe | |
0.00% |
0 / 14 |
|
0.00% |
0 / 1 |
2 | |||
| unsubscribe | |
0.00% |
0 / 11 |
|
0.00% |
0 / 1 |
2 | |||
| 1 | <?php |
| 2 | /** |
| 3 | * |
| 4 | * This file is part of the phpBB Forum Software package. |
| 5 | * |
| 6 | * @copyright (c) phpBB Limited <https://www.phpbb.com> |
| 7 | * @license GNU General Public License, version 2 (GPL-2.0) |
| 8 | * |
| 9 | * For full copyright and license information, please see |
| 10 | * the docs/CREDITS.txt file. |
| 11 | * |
| 12 | */ |
| 13 | |
| 14 | namespace phpbb\ucp\controller; |
| 15 | |
| 16 | use phpbb\config\config; |
| 17 | use phpbb\controller\helper as controller_helper; |
| 18 | use phpbb\db\driver\driver_interface; |
| 19 | use phpbb\exception\http_exception; |
| 20 | use phpbb\form\form_helper; |
| 21 | use phpbb\json\sanitizer as json_sanitizer; |
| 22 | use phpbb\path_helper; |
| 23 | use phpbb\request\request_interface; |
| 24 | use phpbb\symfony_request; |
| 25 | use phpbb\user; |
| 26 | use Symfony\Component\HttpFoundation\JsonResponse; |
| 27 | use Symfony\Component\HttpFoundation\Response; |
| 28 | use Twig\Environment; |
| 29 | use Twig\Error\LoaderError; |
| 30 | use Twig\Error\RuntimeError; |
| 31 | use Twig\Error\SyntaxError; |
| 32 | |
| 33 | class webpush |
| 34 | { |
| 35 | /** @var string UCP form token name */ |
| 36 | public const FORM_TOKEN_UCP = 'ucp_webpush'; |
| 37 | |
| 38 | /** @var config */ |
| 39 | protected $config; |
| 40 | |
| 41 | /** @var controller_helper */ |
| 42 | protected $controller_helper; |
| 43 | |
| 44 | /** @var driver_interface */ |
| 45 | protected $db; |
| 46 | |
| 47 | /** @var form_helper */ |
| 48 | protected $form_helper; |
| 49 | |
| 50 | /** @var path_helper */ |
| 51 | protected $path_helper; |
| 52 | |
| 53 | /** @var request_interface */ |
| 54 | protected $request; |
| 55 | |
| 56 | /** @var user */ |
| 57 | protected $user; |
| 58 | |
| 59 | /** @var Environment */ |
| 60 | protected $template; |
| 61 | |
| 62 | /** @var string */ |
| 63 | protected $notification_webpush_table; |
| 64 | |
| 65 | /** @var string */ |
| 66 | protected $push_subscriptions_table; |
| 67 | |
| 68 | /** |
| 69 | * Constructor for webpush controller |
| 70 | * |
| 71 | * @param config $config |
| 72 | * @param controller_helper $controller_helper |
| 73 | * @param driver_interface $db |
| 74 | * @param form_helper $form_helper |
| 75 | * @param path_helper $path_helper |
| 76 | * @param request_interface $request |
| 77 | * @param user $user |
| 78 | * @param Environment $template |
| 79 | * @param string $notification_webpush_table |
| 80 | * @param string $push_subscriptions_table |
| 81 | */ |
| 82 | public function __construct(config $config, controller_helper $controller_helper, driver_interface $db, form_helper $form_helper, path_helper $path_helper, |
| 83 | request_interface $request, user $user, Environment $template, string $notification_webpush_table, string $push_subscriptions_table) |
| 84 | { |
| 85 | $this->config = $config; |
| 86 | $this->controller_helper = $controller_helper; |
| 87 | $this->db = $db; |
| 88 | $this->form_helper = $form_helper; |
| 89 | $this->path_helper = $path_helper; |
| 90 | $this->request = $request; |
| 91 | $this->user = $user; |
| 92 | $this->template = $template; |
| 93 | $this->notification_webpush_table = $notification_webpush_table; |
| 94 | $this->push_subscriptions_table = $push_subscriptions_table; |
| 95 | } |
| 96 | |
| 97 | /** |
| 98 | * Handle request to retrieve notification data |
| 99 | * |
| 100 | * @return JsonResponse |
| 101 | */ |
| 102 | public function notification(): JsonResponse |
| 103 | { |
| 104 | if (!$this->request->is_ajax() || $this->user->data['is_bot'] || $this->user->data['user_type'] == USER_INACTIVE) |
| 105 | { |
| 106 | throw new http_exception(Response::HTTP_FORBIDDEN, 'NO_AUTH_OPERATION'); |
| 107 | } |
| 108 | |
| 109 | if ($this->user->id() !== ANONYMOUS) |
| 110 | { |
| 111 | $notification_data = $this->get_user_notifications(); |
| 112 | } |
| 113 | else |
| 114 | { |
| 115 | $notification_data = $this->get_anonymous_notifications(); |
| 116 | } |
| 117 | |
| 118 | // Decode and return data if everything is fine |
| 119 | $data = json_decode($notification_data, true); |
| 120 | $data['url'] = isset($data['url']) ? $this->path_helper->update_web_root_path($data['url']) : ''; |
| 121 | |
| 122 | return new JsonResponse($data); |
| 123 | } |
| 124 | |
| 125 | /** |
| 126 | * Get notification data for logged in user |
| 127 | * |
| 128 | * @return string Notification data |
| 129 | */ |
| 130 | private function get_user_notifications(): string |
| 131 | { |
| 132 | // Subscribe should only be available for logged-in "normal" users |
| 133 | if ($this->user->data['user_type'] == USER_IGNORE) |
| 134 | { |
| 135 | throw new http_exception(Response::HTTP_FORBIDDEN, 'NO_AUTH_OPERATION'); |
| 136 | } |
| 137 | |
| 138 | $item_id = $this->request->variable('item_id', 0); |
| 139 | $type_id = $this->request->variable('type_id', 0); |
| 140 | |
| 141 | $sql = 'SELECT push_data |
| 142 | FROM ' . $this->notification_webpush_table . ' |
| 143 | WHERE user_id = ' . (int) $this->user->id() . ' |
| 144 | AND notification_type_id = ' . (int) $type_id . ' |
| 145 | AND item_id = ' . (int) $item_id; |
| 146 | $result = $this->db->sql_query($sql); |
| 147 | $notification_data = $this->db->sql_fetchfield('push_data'); |
| 148 | $this->db->sql_freeresult($result); |
| 149 | |
| 150 | return $notification_data; |
| 151 | } |
| 152 | |
| 153 | /** |
| 154 | * Get notification data for not logged in user via token |
| 155 | * |
| 156 | * @return string |
| 157 | */ |
| 158 | private function get_anonymous_notifications(): string |
| 159 | { |
| 160 | $token = $this->request->variable('token', ''); |
| 161 | |
| 162 | if ($token) |
| 163 | { |
| 164 | $item_id = $this->request->variable('item_id', 0); |
| 165 | $type_id = $this->request->variable('type_id', 0); |
| 166 | $user_id = $this->request->variable('user_id', 0); |
| 167 | |
| 168 | $sql = 'SELECT push_data, push_token |
| 169 | FROM ' . $this->notification_webpush_table . ' |
| 170 | WHERE user_id = ' . (int) $user_id . ' |
| 171 | AND notification_type_id = ' . (int) $type_id . ' |
| 172 | AND item_id = ' . (int) $item_id; |
| 173 | $result = $this->db->sql_query($sql); |
| 174 | $notification_row = $this->db->sql_fetchrow($result); |
| 175 | $this->db->sql_freeresult($result); |
| 176 | |
| 177 | $notification_data = $notification_row['push_data']; |
| 178 | $push_token = $notification_row['push_token']; |
| 179 | |
| 180 | // Check if passed push token is valid |
| 181 | $sql = 'SELECT user_form_salt |
| 182 | FROM ' . USERS_TABLE . ' |
| 183 | WHERE user_id = ' . (int) $user_id; |
| 184 | $result = $this->db->sql_query($sql); |
| 185 | $user_form_token = $this->db->sql_fetchfield('user_form_salt'); |
| 186 | $this->db->sql_freeresult($result); |
| 187 | |
| 188 | $expected_push_token = hash('sha256', $user_form_token . $push_token); |
| 189 | if ($expected_push_token === $token) |
| 190 | { |
| 191 | return $notification_data; |
| 192 | } |
| 193 | } |
| 194 | |
| 195 | throw new http_exception(Response::HTTP_FORBIDDEN, 'NO_AUTH_OPERATION'); |
| 196 | } |
| 197 | |
| 198 | /** |
| 199 | * Handle request to push worker javascript |
| 200 | * |
| 201 | * @return Response |
| 202 | * @throws LoaderError |
| 203 | * @throws RuntimeError |
| 204 | * @throws SyntaxError |
| 205 | */ |
| 206 | public function worker(): Response |
| 207 | { |
| 208 | // @todo: only work for logged in users, no anonymous & bot |
| 209 | $content = $this->template->render('push_worker.js.twig', [ |
| 210 | 'U_WEBPUSH_GET_NOTIFICATION' => $this->controller_helper->route('phpbb_ucp_push_get_notification_controller'), |
| 211 | 'ASSETS_VERSION' => $this->config['assets_version'], |
| 212 | ]); |
| 213 | |
| 214 | $response = new Response($content); |
| 215 | $response->headers->set('Content-Type', 'text/javascript; charset=UTF-8'); |
| 216 | |
| 217 | if (!empty($this->user->data['is_bot'])) |
| 218 | { |
| 219 | // Let reverse proxies know we detected a bot. |
| 220 | $response->headers->set('X-PHPBB-IS-BOT', 'yes'); |
| 221 | } |
| 222 | |
| 223 | return $response; |
| 224 | } |
| 225 | |
| 226 | /** |
| 227 | * Get template variables for subscribe type pages |
| 228 | * |
| 229 | * @return array |
| 230 | */ |
| 231 | protected function get_subscribe_vars(): array |
| 232 | { |
| 233 | return [ |
| 234 | 'U_WEBPUSH_SUBSCRIBE' => $this->controller_helper->route('phpbb_ucp_push_subscribe_controller'), |
| 235 | 'U_WEBPUSH_UNSUBSCRIBE' => $this->controller_helper->route('phpbb_ucp_push_unsubscribe_controller'), |
| 236 | 'FORM_TOKENS' => $this->form_helper->get_form_tokens(self::FORM_TOKEN_UCP), |
| 237 | ]; |
| 238 | } |
| 239 | |
| 240 | /** |
| 241 | * Check (un)subscribe form for valid link hash |
| 242 | * |
| 243 | * @throws http_exception If form is invalid or user should not request (un)subscription |
| 244 | * @return void |
| 245 | */ |
| 246 | protected function check_subscribe_requests(): void |
| 247 | { |
| 248 | if (!$this->form_helper->check_form_tokens(self::FORM_TOKEN_UCP)) |
| 249 | { |
| 250 | throw new http_exception(Response::HTTP_BAD_REQUEST, 'FORM_INVALID'); |
| 251 | } |
| 252 | |
| 253 | // Subscribe should only be available for logged-in "normal" users |
| 254 | if (!$this->request->is_ajax() || $this->user->id() === ANONYMOUS || $this->user->data['is_bot'] |
| 255 | || $this->user->data['user_type'] == USER_IGNORE || $this->user->data['user_type'] == USER_INACTIVE) |
| 256 | { |
| 257 | throw new http_exception(Response::HTTP_FORBIDDEN, 'NO_AUTH_OPERATION'); |
| 258 | } |
| 259 | } |
| 260 | |
| 261 | /** |
| 262 | * Handle subscribe requests |
| 263 | * |
| 264 | * @param symfony_request $symfony_request |
| 265 | * @return JsonResponse |
| 266 | */ |
| 267 | public function subscribe(symfony_request $symfony_request): JsonResponse |
| 268 | { |
| 269 | $this->check_subscribe_requests(); |
| 270 | |
| 271 | $data = json_sanitizer::decode($symfony_request->get('data', '')); |
| 272 | |
| 273 | $sql = 'INSERT INTO ' . $this->push_subscriptions_table . ' ' . $this->db->sql_build_array('INSERT', [ |
| 274 | 'user_id' => $this->user->id(), |
| 275 | 'endpoint' => $data['endpoint'], |
| 276 | 'expiration_time' => $data['expiration_time'] ?? 0, |
| 277 | 'p256dh' => $data['keys']['p256dh'], |
| 278 | 'auth' => $data['keys']['auth'], |
| 279 | ]); |
| 280 | $this->db->sql_query($sql); |
| 281 | |
| 282 | return new JsonResponse([ |
| 283 | 'success' => true, |
| 284 | 'form_tokens' => $this->form_helper->get_form_tokens(self::FORM_TOKEN_UCP), |
| 285 | ]); |
| 286 | } |
| 287 | |
| 288 | /** |
| 289 | * Handle unsubscribe requests |
| 290 | * |
| 291 | * @param symfony_request $symfony_request |
| 292 | * @return JsonResponse |
| 293 | */ |
| 294 | public function unsubscribe(symfony_request $symfony_request): JsonResponse |
| 295 | { |
| 296 | $this->check_subscribe_requests(); |
| 297 | |
| 298 | $data = json_sanitizer::decode($symfony_request->get('data', '')); |
| 299 | |
| 300 | $endpoint = $data['endpoint']; |
| 301 | |
| 302 | $sql = 'DELETE FROM ' . $this->push_subscriptions_table . ' |
| 303 | WHERE user_id = ' . (int) $this->user->id() . " |
| 304 | AND endpoint = '" . $this->db->sql_escape($endpoint) . "'"; |
| 305 | $this->db->sql_query($sql); |
| 306 | |
| 307 | return new JsonResponse([ |
| 308 | 'success' => true, |
| 309 | 'form_tokens' => $this->form_helper->get_form_tokens(self::FORM_TOKEN_UCP), |
| 310 | ]); |
| 311 | } |
| 312 | } |