Code Coverage |
||||||||||
Lines |
Functions and Methods |
Classes and Traits |
||||||||
Total | |
0.00% |
0 / 100 |
|
0.00% |
0 / 9 |
CRAP | |
0.00% |
0 / 1 |
webpush | |
0.00% |
0 / 100 |
|
0.00% |
0 / 9 |
600 | |
0.00% |
0 / 1 |
__construct | |
0.00% |
0 / 10 |
|
0.00% |
0 / 1 |
2 | |||
notification | |
0.00% |
0 / 8 |
|
0.00% |
0 / 1 |
42 | |||
get_user_notifications | |
0.00% |
0 / 13 |
|
0.00% |
0 / 1 |
6 | |||
get_anonymous_notifications | |
0.00% |
0 / 25 |
|
0.00% |
0 / 1 |
12 | |||
worker | |
0.00% |
0 / 9 |
|
0.00% |
0 / 1 |
6 | |||
get_subscribe_vars | |
0.00% |
0 / 5 |
|
0.00% |
0 / 1 |
2 | |||
check_subscribe_requests | |
0.00% |
0 / 5 |
|
0.00% |
0 / 1 |
56 | |||
subscribe | |
0.00% |
0 / 14 |
|
0.00% |
0 / 1 |
2 | |||
unsubscribe | |
0.00% |
0 / 11 |
|
0.00% |
0 / 1 |
2 |
1 | <?php |
2 | /** |
3 | * |
4 | * This file is part of the phpBB Forum Software package. |
5 | * |
6 | * @copyright (c) phpBB Limited <https://www.phpbb.com> |
7 | * @license GNU General Public License, version 2 (GPL-2.0) |
8 | * |
9 | * For full copyright and license information, please see |
10 | * the docs/CREDITS.txt file. |
11 | * |
12 | */ |
13 | |
14 | namespace phpbb\ucp\controller; |
15 | |
16 | use phpbb\config\config; |
17 | use phpbb\controller\helper as controller_helper; |
18 | use phpbb\db\driver\driver_interface; |
19 | use phpbb\exception\http_exception; |
20 | use phpbb\form\form_helper; |
21 | use phpbb\json\sanitizer as json_sanitizer; |
22 | use phpbb\path_helper; |
23 | use phpbb\request\request_interface; |
24 | use phpbb\symfony_request; |
25 | use phpbb\user; |
26 | use Symfony\Component\HttpFoundation\JsonResponse; |
27 | use Symfony\Component\HttpFoundation\Response; |
28 | use Twig\Environment; |
29 | use Twig\Error\LoaderError; |
30 | use Twig\Error\RuntimeError; |
31 | use Twig\Error\SyntaxError; |
32 | |
33 | class webpush |
34 | { |
35 | /** @var string UCP form token name */ |
36 | public const FORM_TOKEN_UCP = 'ucp_webpush'; |
37 | |
38 | /** @var config */ |
39 | protected $config; |
40 | |
41 | /** @var controller_helper */ |
42 | protected $controller_helper; |
43 | |
44 | /** @var driver_interface */ |
45 | protected $db; |
46 | |
47 | /** @var form_helper */ |
48 | protected $form_helper; |
49 | |
50 | /** @var path_helper */ |
51 | protected $path_helper; |
52 | |
53 | /** @var request_interface */ |
54 | protected $request; |
55 | |
56 | /** @var user */ |
57 | protected $user; |
58 | |
59 | /** @var Environment */ |
60 | protected $template; |
61 | |
62 | /** @var string */ |
63 | protected $notification_webpush_table; |
64 | |
65 | /** @var string */ |
66 | protected $push_subscriptions_table; |
67 | |
68 | /** |
69 | * Constructor for webpush controller |
70 | * |
71 | * @param config $config |
72 | * @param controller_helper $controller_helper |
73 | * @param driver_interface $db |
74 | * @param form_helper $form_helper |
75 | * @param path_helper $path_helper |
76 | * @param request_interface $request |
77 | * @param user $user |
78 | * @param Environment $template |
79 | * @param string $notification_webpush_table |
80 | * @param string $push_subscriptions_table |
81 | */ |
82 | public function __construct(config $config, controller_helper $controller_helper, driver_interface $db, form_helper $form_helper, path_helper $path_helper, |
83 | request_interface $request, user $user, Environment $template, string $notification_webpush_table, string $push_subscriptions_table) |
84 | { |
85 | $this->config = $config; |
86 | $this->controller_helper = $controller_helper; |
87 | $this->db = $db; |
88 | $this->form_helper = $form_helper; |
89 | $this->path_helper = $path_helper; |
90 | $this->request = $request; |
91 | $this->user = $user; |
92 | $this->template = $template; |
93 | $this->notification_webpush_table = $notification_webpush_table; |
94 | $this->push_subscriptions_table = $push_subscriptions_table; |
95 | } |
96 | |
97 | /** |
98 | * Handle request to retrieve notification data |
99 | * |
100 | * @return JsonResponse |
101 | */ |
102 | public function notification(): JsonResponse |
103 | { |
104 | if (!$this->request->is_ajax() || $this->user->data['is_bot'] || $this->user->data['user_type'] == USER_INACTIVE) |
105 | { |
106 | throw new http_exception(Response::HTTP_FORBIDDEN, 'NO_AUTH_OPERATION'); |
107 | } |
108 | |
109 | if ($this->user->id() !== ANONYMOUS) |
110 | { |
111 | $notification_data = $this->get_user_notifications(); |
112 | } |
113 | else |
114 | { |
115 | $notification_data = $this->get_anonymous_notifications(); |
116 | } |
117 | |
118 | // Decode and return data if everything is fine |
119 | $data = json_decode($notification_data, true); |
120 | $data['url'] = isset($data['url']) ? $this->path_helper->update_web_root_path($data['url']) : ''; |
121 | |
122 | return new JsonResponse($data); |
123 | } |
124 | |
125 | /** |
126 | * Get notification data for logged in user |
127 | * |
128 | * @return string Notification data |
129 | */ |
130 | private function get_user_notifications(): string |
131 | { |
132 | // Subscribe should only be available for logged-in "normal" users |
133 | if ($this->user->data['user_type'] == USER_IGNORE) |
134 | { |
135 | throw new http_exception(Response::HTTP_FORBIDDEN, 'NO_AUTH_OPERATION'); |
136 | } |
137 | |
138 | $item_id = $this->request->variable('item_id', 0); |
139 | $type_id = $this->request->variable('type_id', 0); |
140 | |
141 | $sql = 'SELECT push_data |
142 | FROM ' . $this->notification_webpush_table . ' |
143 | WHERE user_id = ' . (int) $this->user->id() . ' |
144 | AND notification_type_id = ' . (int) $type_id . ' |
145 | AND item_id = ' . (int) $item_id; |
146 | $result = $this->db->sql_query($sql); |
147 | $notification_data = $this->db->sql_fetchfield('push_data'); |
148 | $this->db->sql_freeresult($result); |
149 | |
150 | return $notification_data; |
151 | } |
152 | |
153 | /** |
154 | * Get notification data for not logged in user via token |
155 | * |
156 | * @return string |
157 | */ |
158 | private function get_anonymous_notifications(): string |
159 | { |
160 | $token = $this->request->variable('token', ''); |
161 | |
162 | if ($token) |
163 | { |
164 | $item_id = $this->request->variable('item_id', 0); |
165 | $type_id = $this->request->variable('type_id', 0); |
166 | $user_id = $this->request->variable('user_id', 0); |
167 | |
168 | $sql = 'SELECT push_data, push_token |
169 | FROM ' . $this->notification_webpush_table . ' |
170 | WHERE user_id = ' . (int) $user_id . ' |
171 | AND notification_type_id = ' . (int) $type_id . ' |
172 | AND item_id = ' . (int) $item_id; |
173 | $result = $this->db->sql_query($sql); |
174 | $notification_row = $this->db->sql_fetchrow($result); |
175 | $this->db->sql_freeresult($result); |
176 | |
177 | $notification_data = $notification_row['push_data']; |
178 | $push_token = $notification_row['push_token']; |
179 | |
180 | // Check if passed push token is valid |
181 | $sql = 'SELECT user_form_salt |
182 | FROM ' . USERS_TABLE . ' |
183 | WHERE user_id = ' . (int) $user_id; |
184 | $result = $this->db->sql_query($sql); |
185 | $user_form_token = $this->db->sql_fetchfield('user_form_salt'); |
186 | $this->db->sql_freeresult($result); |
187 | |
188 | $expected_push_token = hash('sha256', $user_form_token . $push_token); |
189 | if ($expected_push_token === $token) |
190 | { |
191 | return $notification_data; |
192 | } |
193 | } |
194 | |
195 | throw new http_exception(Response::HTTP_FORBIDDEN, 'NO_AUTH_OPERATION'); |
196 | } |
197 | |
198 | /** |
199 | * Handle request to push worker javascript |
200 | * |
201 | * @return Response |
202 | * @throws LoaderError |
203 | * @throws RuntimeError |
204 | * @throws SyntaxError |
205 | */ |
206 | public function worker(): Response |
207 | { |
208 | // @todo: only work for logged in users, no anonymous & bot |
209 | $content = $this->template->render('push_worker.js.twig', [ |
210 | 'U_WEBPUSH_GET_NOTIFICATION' => $this->controller_helper->route('phpbb_ucp_push_get_notification_controller'), |
211 | 'ASSETS_VERSION' => $this->config['assets_version'], |
212 | ]); |
213 | |
214 | $response = new Response($content); |
215 | $response->headers->set('Content-Type', 'text/javascript; charset=UTF-8'); |
216 | |
217 | if (!empty($this->user->data['is_bot'])) |
218 | { |
219 | // Let reverse proxies know we detected a bot. |
220 | $response->headers->set('X-PHPBB-IS-BOT', 'yes'); |
221 | } |
222 | |
223 | return $response; |
224 | } |
225 | |
226 | /** |
227 | * Get template variables for subscribe type pages |
228 | * |
229 | * @return array |
230 | */ |
231 | protected function get_subscribe_vars(): array |
232 | { |
233 | return [ |
234 | 'U_WEBPUSH_SUBSCRIBE' => $this->controller_helper->route('phpbb_ucp_push_subscribe_controller'), |
235 | 'U_WEBPUSH_UNSUBSCRIBE' => $this->controller_helper->route('phpbb_ucp_push_unsubscribe_controller'), |
236 | 'FORM_TOKENS' => $this->form_helper->get_form_tokens(self::FORM_TOKEN_UCP), |
237 | ]; |
238 | } |
239 | |
240 | /** |
241 | * Check (un)subscribe form for valid link hash |
242 | * |
243 | * @throws http_exception If form is invalid or user should not request (un)subscription |
244 | * @return void |
245 | */ |
246 | protected function check_subscribe_requests(): void |
247 | { |
248 | if (!$this->form_helper->check_form_tokens(self::FORM_TOKEN_UCP)) |
249 | { |
250 | throw new http_exception(Response::HTTP_BAD_REQUEST, 'FORM_INVALID'); |
251 | } |
252 | |
253 | // Subscribe should only be available for logged-in "normal" users |
254 | if (!$this->request->is_ajax() || $this->user->id() === ANONYMOUS || $this->user->data['is_bot'] |
255 | || $this->user->data['user_type'] == USER_IGNORE || $this->user->data['user_type'] == USER_INACTIVE) |
256 | { |
257 | throw new http_exception(Response::HTTP_FORBIDDEN, 'NO_AUTH_OPERATION'); |
258 | } |
259 | } |
260 | |
261 | /** |
262 | * Handle subscribe requests |
263 | * |
264 | * @param symfony_request $symfony_request |
265 | * @return JsonResponse |
266 | */ |
267 | public function subscribe(symfony_request $symfony_request): JsonResponse |
268 | { |
269 | $this->check_subscribe_requests(); |
270 | |
271 | $data = json_sanitizer::decode($symfony_request->get('data', '')); |
272 | |
273 | $sql = 'INSERT INTO ' . $this->push_subscriptions_table . ' ' . $this->db->sql_build_array('INSERT', [ |
274 | 'user_id' => $this->user->id(), |
275 | 'endpoint' => $data['endpoint'], |
276 | 'expiration_time' => $data['expiration_time'] ?? 0, |
277 | 'p256dh' => $data['keys']['p256dh'], |
278 | 'auth' => $data['keys']['auth'], |
279 | ]); |
280 | $this->db->sql_query($sql); |
281 | |
282 | return new JsonResponse([ |
283 | 'success' => true, |
284 | 'form_tokens' => $this->form_helper->get_form_tokens(self::FORM_TOKEN_UCP), |
285 | ]); |
286 | } |
287 | |
288 | /** |
289 | * Handle unsubscribe requests |
290 | * |
291 | * @param symfony_request $symfony_request |
292 | * @return JsonResponse |
293 | */ |
294 | public function unsubscribe(symfony_request $symfony_request): JsonResponse |
295 | { |
296 | $this->check_subscribe_requests(); |
297 | |
298 | $data = json_sanitizer::decode($symfony_request->get('data', '')); |
299 | |
300 | $endpoint = $data['endpoint']; |
301 | |
302 | $sql = 'DELETE FROM ' . $this->push_subscriptions_table . ' |
303 | WHERE user_id = ' . (int) $this->user->id() . " |
304 | AND endpoint = '" . $this->db->sql_escape($endpoint) . "'"; |
305 | $this->db->sql_query($sql); |
306 | |
307 | return new JsonResponse([ |
308 | 'success' => true, |
309 | 'form_tokens' => $this->form_helper->get_form_tokens(self::FORM_TOKEN_UCP), |
310 | ]); |
311 | } |
312 | } |