5 files changed, 113 insertions, 0 deletions

diff --git a/middlewares/BasicAuthMiddleware.php b/middlewares/BasicAuthMiddleware.php
new file mode 100644
index 00000000..6b0803e2
--- /dev/null
+++ b/middlewares/BasicAuthMiddleware.php
@@ -0,0 +1,38 @@
+<?php
+
+declare(strict_types=1);
+
+/**
+ * HTTP Basic auth check
+ */
+class BasicAuthMiddleware implements Middleware
+{
+    public function __invoke(Request $request, $next): Response
+    {
+        if (!Configuration::getConfig('authentication', 'enable')) {
+            return $next($request);
+        }
+
+        if (Configuration::getConfig('authentication', 'password') === '') {
+            return new Response('The authentication password cannot be the empty string', 500);
+        }
+        $user = $request->server('PHP_AUTH_USER');
+        $password = $request->server('PHP_AUTH_PW');
+        if ($user === null || $password === null) {
+            $html = render(__DIR__ . '/../templates/error.html.php', [
+                'message' => 'Please authenticate in order to access this instance!',
+            ]);
+            return new Response($html, 401, ['WWW-Authenticate' => 'Basic realm="RSS-Bridge"']);
+        }
+        if (
+            (Configuration::getConfig('authentication', 'username') !== $user)
+            || (!hash_equals(Configuration::getConfig('authentication', 'password'), $password))
+        ) {
+            $html = render(__DIR__ . '/../templates/error.html.php', [
+                'message' => 'Please authenticate in order to access this instance!',
+            ]);
+            return new Response($html, 401, ['WWW-Authenticate' => 'Basic realm="RSS-Bridge"']);
+        }
+        return $next($request);
+    }
+}
diff --git a/middlewares/MaintenanceMiddleware.php b/middlewares/MaintenanceMiddleware.php
new file mode 100644
index 00000000..de8a1baf
--- /dev/null
+++ b/middlewares/MaintenanceMiddleware.php
@@ -0,0 +1,17 @@
+<?php
+
+declare(strict_types=1);
+
+class MaintenanceMiddleware implements Middleware
+{
+    public function __invoke(Request $request, $next): Response
+    {
+        if (!Configuration::getConfig('system', 'enable_maintenance_mode')) {
+            return $next($request);
+        }
+        return new Response(render(__DIR__ . '/../templates/error.html.php', [
+            'title' => '503 Service Unavailable',
+            'message' => 'RSS-Bridge is down for maintenance.',
+        ]), 503);
+    }
+}
diff --git a/middlewares/Middleware.php b/middlewares/Middleware.php
new file mode 100644
index 00000000..83d93a3b
--- /dev/null
+++ b/middlewares/Middleware.php
@@ -0,0 +1,8 @@
+<?php
+
+declare(strict_types=1);
+
+interface Middleware
+{
+    public function __invoke(Request $request, $next): Response;
+}
diff --git a/middlewares/SecurityMiddleware.php b/middlewares/SecurityMiddleware.php
new file mode 100644
index 00000000..b07a8144
--- /dev/null
+++ b/middlewares/SecurityMiddleware.php
@@ -0,0 +1,21 @@
+<?php
+
+declare(strict_types=1);
+
+/**
+ * Make sure that only strings are allowed in GET parameters
+ */
+class SecurityMiddleware implements Middleware
+{
+    public function __invoke(Request $request, $next): Response
+    {
+        foreach ($request->toArray() as $key => $value) {
+            if (!is_string($value)) {
+                return new Response(render(__DIR__ . '/../templates/error.html.php', [
+                    'message' => "Query parameter \"$key\" is not a string.",
+                ]), 400);
+            }
+        }
+        return $next($request);
+    }
+}
diff --git a/middlewares/TokenAuthenticationMiddleware.php b/middlewares/TokenAuthenticationMiddleware.php
new file mode 100644
index 00000000..f8234629
--- /dev/null
+++ b/middlewares/TokenAuthenticationMiddleware.php
@@ -0,0 +1,29 @@
+<?php
+
+declare(strict_types=1);
+
+class TokenAuthenticationMiddleware implements Middleware
+{
+    public function __invoke(Request $request, $next): Response
+    {
+        if (! Configuration::getConfig('authentication', 'token')) {
+            return $next($request);
+        }
+
+        // Always add token to request attribute
+        $request = $request->withAttribute('token', $request->get('token'));
+
+        if (! $request->attribute('token')) {
+            return new Response(render(__DIR__ . '/../templates/token.html.php', [
+                'message' => 'Missing token',
+            ]), 401);
+        }
+        if (! hash_equals(Configuration::getConfig('authentication', 'token'), $request->attribute('token'))) {
+            return new Response(render(__DIR__ . '/../templates/token.html.php', [
+                'message' => 'Invalid token',
+            ]), 401);
+        }
+
+        return $next($request);
+    }
+}