make the JS compatible with older IE versions, though this is a hack that hardcodes...

[authserver.git] / authutils.php-class

diff --git a/authutils.php-class b/authutils.php-class
index 4d5680a5264b4402bd80ffce5e9bcd37aa6b352a..9cd000c492d6c1e0ac8872fea75a124e410cb8a3 100755 (executable)
--- a/authutils.php-class
+++ b/authutils.php-class
@@ -18,6 +18,9 @@ class AuthUtils {
   // public $running_on_localhost
   //   A boolean telling if the system is running on localhost (where https is not required).
   //
+  // public $client_reg_email_whitelist
+  //   An array of emails that are whitelisted for registering clients.
+  //
   // private $pwd_cost
   //   The cost parameter for use with PHP password_hash function.
   //
@@ -46,6 +49,9 @@ class AuthUtils {
   // function createVerificationCode()
   //   Return a random acount/email verification code.
   //
+  // function createClientSecret()
+  //   Return a random client secret.
+  //
   // function createTimeCode($session, [$offset], [$validity_minutes])
   //   Return a time-based code based on the key and ID of the given session.
   //     An offset can be given to create a specific code for verification, otherwise and offset will be generated.
@@ -82,6 +88,7 @@ class AuthUtils {
 
   public $db = null;
   public $running_on_localhost = false;
+  public $client_reg_email_whitelist = array('kairo@kairo.at', 'com@kairo.at');
   private $pwd_cost = 10;
   private $pwd_nonces = array();
 
@@ -100,6 +107,26 @@ class AuthUtils {
     return $errors;
   }
 
+  function sendSecurityHeaders() {
+    // Send various headers that we want to have for security resons, mostly as recommended by https://observatory.mozilla.org/
+
+    // CSP - see https://wiki.mozilla.org/Security/Guidelines/Web_Security#Content_Security_Policy
+    // Disable unsafe inline/eval, only allow loading of resources (images, fonts, scripts, etc.) from ourselves; also disable framing.
+    header('Content-Security-Policy: default-src \'none\';img-src \'self\'; script-src \'self\'; style-src \'self\'; frame-ancestors \'none\'');
+
+    // X-Content-Type-Options - see https://wiki.mozilla.org/Security/Guidelines/Web_Security#X-Content-Type-Options
+    // Prevent browsers from incorrectly detecting non-scripts as scripts
+    header('X-Content-Type-Options: nosniff');
+
+    // X-Frame-Options (for older browsers) - see https://wiki.mozilla.org/Security/Guidelines/Web_Security#X-Frame-Options
+    // Block site from being framed
+    header('X-Frame-Options: DENY');
+
+    // X-XSS-Protection (for older browsers) - see https://wiki.mozilla.org/Security/Guidelines/Web_Security#X-XSS-Protection
+    // Block pages from loading when they detect reflected XSS attacks
+    header('X-XSS-Protection: 1; mode=block');
+  }
+
   function initSession() {
     $session = null;
     if (strlen(@$_COOKIE['sessionkey'])) {
@@ -166,6 +193,10 @@ class AuthUtils {
     return bin2hex(openssl_random_pseudo_bytes(512 / 8)); // Get 512 bits of randomness (128 byte hex string).
   }
 
+  function createClientSecret() {
+    return bin2hex(openssl_random_pseudo_bytes(160 / 8)); // Get 160 bits of randomness (40 byte hex string).
+  }
+
   function createTimeCode($session, $offset = null, $validity_minutes = 10) {
     // Matches TOTP algorithms, see https://en.wikipedia.org/wiki/Time-based_One-time_Password_Algorithm
     $valid_seconds = intval($validity_minutes) * 60;