Security

Hash

To create an encrypted key, use the Hash class together with the static encrypt function as shown below:

use Solital\Core\Security\Hash;

$res = Hash::encrypt('word_to_encrypt');

pre($res);

You can define how long this key will be valid. It can be 1 second, 1 hour or 1 year. by default the value is +1 hour.

use Solital\Core\Security\Hash;

$res = Hash::encrypt('word_to_encrypt', '+1 month');

pre($res);

If you want to decrypt, use the decrypt function chained with the value method.

use Solital\Core\Security\Hash;

$res = Hash::decrypt('word_to_decrypt')::value();

pre($res);

If you want to check if the encrypted key is still valid, use isValid. If you want to verify that the encrypted key is still valid, use isValid. the isValid method will returntrue if it is still valid, and false if it is already expired

use Solital\Core\Security\Hash;

$res = Hash::decrypt('word_to_decrypt')::isValid();

pre($res);

Forgot password

Solital has a standard method for password recovery. For that, it is necessary to configure only the constant EMAIL in the file config.php, inserting the sender and recipient.

The Reset class uses php's native mail method for sending e-mail.

use Solital\Core\Security\Reset;

public function forgot()
{    
    $email = input()->post('email')->getValue();

    (new Reset())->table('your_database_table', 'your_column_table')
                 ->forgotPass($email, "/your_redirect_url", "+20 minute");

    response()->redirect('/home');
}

Instantiate the Reset class. In the table function, the first parameter should be the name of your table where users’ emails are stored, and in the second parameter the column name where emails are stored, and then chain with the forgotPass method.

In the forgotPass method, pass as first parameter the email you want to retrieve, and in the second the url in which the user will be redirected when clicking on the email link. The third parameter is optional, the time that the key will be valid will be defined. The default is +1 hour

To validate the information by clicking on the email link, you can use the structure below:

public function change($hash)
{
    $res = Hash::decrypt($hash)::isValid();

    if ($res == true) {
        $email = Hash::decrypt($hash)::value();

        Wolf::loadView('auth.change', [
            'email' => $email,
            'hash' => $hash
        ]);
    } else {
        response()->redirect('/home');
    }
}

CSRF Protection

Any forms posting to POST, PUT or DELETE routes should include the CSRF-token. We strongly recommend that you enable CSRF-verification on your site to maximize security.

You can use the BaseCsrfVerifier to enable CSRF-validation on all request. If you need to disable verification for specific urls, please refer to the "Custom CSRF-verifier" section below.

By default Solital will use the CookieTokenProvider class. This provider will store the security-token in a cookie on the clients machine. If you want to store the token elsewhere, please refer to the "Creating custom Token Provider" section below.

Adding CSRF-verifier

When you've created your CSRF-verifier you need to tell Solital that it should use it. You can do this by adding the following line in your routes.php file:

Course::csrfVerifier(new \Solital\Core\Http\Middleware\BaseCsrfVerifier());

Getting CSRF-token

When posting to any of the urls that has CSRF-verification enabled, you need post your CSRF-token or else the request will get rejected.

You can get the CSRF-token by calling the helper method:

csrf_token();

You can also get the token directly:

return Course::router()->getCsrfVerifier()->getTokenProvider()->setToken();

The default name/key for the input-field is csrf_token and is defined in the POST_KEY constant in the BaseCsrfVerifier class. You can change the key by overwriting the constant in your own CSRF-verifier class.

Example:

The example below will post to the current url with a hidden field "csrf_token".

<form method="post" action="<?= url(); ?>">
    <?= csrf_token(); ?>
    <!-- other input elements here -->
</form>