Add CSRF, CAPTCHA, and input validation improvements
Introduces CSRF protection to all sensitive controller actions, integrates configurable CAPTCHA (reCAPTCHA v2/v3, Turnstile) for authentication and registration flows, and centralizes input validation via a new InputValidator helper. Adds new helpers and services for CSRF and CAPTCHA, updates settings and migration for CAPTCHA configuration, and enhances logging and error handling in TLD registry import processes. Also improves validation for user, domain, group, and profile inputs throughout the application.
This commit is contained in:
Hosteroid
@@ -28,7 +28,7 @@ class UserController extends Controller
|
||||
public function index()
|
||||
{
|
||||
// Get filter parameters
|
||||
$search = trim($_GET['search'] ?? '');
|
||||
$search = \App\Helpers\InputValidator::sanitizeSearch($_GET['search'] ?? '', 100);
|
||||
$roleFilter = $_GET['role'] ?? '';
|
||||
$statusFilter = $_GET['status'] ?? '';
|
||||
$sort = $_GET['sort'] ?? 'username';
|
||||
@@ -97,6 +97,9 @@ class UserController extends Controller
|
||||
return;
|
||||
}
|
||||
|
||||
// CSRF Protection
|
||||
$this->verifyCsrf('/users/create');
|
||||
|
||||
$username = trim($_POST['username'] ?? '');
|
||||
$email = trim($_POST['email'] ?? '');
|
||||
$fullName = trim($_POST['full_name'] ?? '');
|
||||
@@ -111,12 +114,28 @@ class UserController extends Controller
|
||||
return;
|
||||
}
|
||||
|
||||
// Validate username format and length
|
||||
$usernameError = \App\Helpers\InputValidator::validateUsername($username, 3, 50);
|
||||
if ($usernameError) {
|
||||
$_SESSION['error'] = $usernameError;
|
||||
$this->redirect('/users/create');
|
||||
return;
|
||||
}
|
||||
|
||||
if (!filter_var($email, FILTER_VALIDATE_EMAIL)) {
|
||||
$_SESSION['error'] = 'Invalid email address';
|
||||
$this->redirect('/users/create');
|
||||
return;
|
||||
}
|
||||
|
||||
// Validate full name length
|
||||
$nameError = \App\Helpers\InputValidator::validateLength($fullName, 255, 'Full name');
|
||||
if ($nameError) {
|
||||
$_SESSION['error'] = $nameError;
|
||||
$this->redirect('/users/create');
|
||||
return;
|
||||
}
|
||||
|
||||
if (!preg_match('/^[a-zA-Z0-9_]+$/', $username)) {
|
||||
$_SESSION['error'] = 'Username can only contain letters, numbers, and underscores';
|
||||
$this->redirect('/users/create');
|
||||
@@ -208,6 +227,9 @@ class UserController extends Controller
|
||||
return;
|
||||
}
|
||||
|
||||
// CSRF Protection
|
||||
$this->verifyCsrf('/users');
|
||||
|
||||
$userId = (int)($_POST['id'] ?? 0);
|
||||
$user = $this->userModel->find($userId);
|
||||
|
||||
@@ -236,6 +258,14 @@ class UserController extends Controller
|
||||
return;
|
||||
}
|
||||
|
||||
// Validate full name length
|
||||
$nameError = \App\Helpers\InputValidator::validateLength($fullName, 255, 'Full name');
|
||||
if ($nameError) {
|
||||
$_SESSION['error'] = $nameError;
|
||||
$this->redirect('/users/edit?id=' . $userId);
|
||||
return;
|
||||
}
|
||||
|
||||
// Check if email is taken by another user
|
||||
$existingUsers = $this->userModel->where('email', $email);
|
||||
if (!empty($existingUsers) && $existingUsers[0]['id'] != $userId) {
|
||||
|
||||
Reference in New Issue
Block a user