improved security
Some checks failed
PHPUnit / test (push) Has been cancelled

This commit is contained in:
2026-06-24 09:37:08 +02:00
parent 623fe0f464
commit b02f264b23
5 changed files with 65 additions and 7 deletions

View File

@ -153,6 +153,10 @@ function hkdf_session_key_from_token(string $tokenHex, string $info = 'qdb-aes',
// --- Token-Storage (DB-backed via session table) ---
function token_storage_key(string $token): string {
return hash('sha256', $token);
}
function token_add(string $token, int $ttlSeconds = 86400, array $extra = []): void {
require_once __DIR__ . '/db_init.php';
[$pdo, $tmpDb, $lockFp] = qdb_open(true);
@ -161,7 +165,7 @@ function token_add(string $token, int $ttlSeconds = 86400, array $extra = []): v
"INSERT INTO session (token, userID, role, entityID, createdAt, expiresAt, temp)
VALUES (:t, :uid, :role, :eid, :ca, :ea, :tmp)"
)->execute([
':t' => $token,
':t' => token_storage_key($token),
':uid' => $extra['userID'] ?? '',
':role' => $extra['role'] ?? '',
':eid' => $extra['entityID'] ?? '',
@ -178,7 +182,7 @@ function token_get_record(string $token): ?array {
require_once __DIR__ . '/db_init.php';
[$pdo, $tmpDb, $lockFp] = qdb_open(false);
$stmt = $pdo->prepare("SELECT * FROM session WHERE token = :t AND expiresAt >= :now");
$stmt->execute([':t' => $token, ':now' => time()]);
$stmt->execute([':t' => token_storage_key($token), ':now' => time()]);
$row = $stmt->fetch(PDO::FETCH_ASSOC);
qdb_discard($tmpDb, $lockFp);
if (!$row) return null;
@ -197,7 +201,7 @@ function token_get_record(string $token): ?array {
function token_revoke(string $token): void {
require_once __DIR__ . '/db_init.php';
[$pdo, $tmpDb, $lockFp] = qdb_open(true);
$pdo->prepare("DELETE FROM session WHERE token = :t")->execute([':t' => $token]);
$pdo->prepare("DELETE FROM session WHERE token = :t")->execute([':t' => token_storage_key($token)]);
qdb_save($tmpDb, $lockFp);
}