first commit

Author: thephibonacci

.gitignore

@@ -0,0 +1 @@
+/vendor

.htaccess

@@ -0,0 +1,125 @@
+RewriteEngine On
+ServerSignature Off
+RewriteBase /
+RewriteCond %{REQUEST_FILENAME} !-d
+RewriteCond %{REQUEST_FILENAME} !-f
+RewriteRule ^(.+)$ ./index.php [QSA,L]
+Options All -Indexes
+ErrorDocument 400 /view/err/400.php
+ErrorDocument 401 /view/err/401.php
+ErrorDocument 403 /view/err/403.php
+ErrorDocument 404 /view/err/404.php
+ErrorDocument 408 /view/err/408.php
+ErrorDocument 414 /view/err/414.php
+ErrorDocument 429 /view/err/429.php
+ErrorDocument 500 /view/err/500.php
+ErrorDocument 502 /view/err/502.php
+ErrorDocument 503 /view/err/503.php
+ErrorDocument 504 /view/err/504.php
+#RewriteCond %{HTTPS} off
+#RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
+php_value memory_limit 256M
+php_value post_max_size 256M
+php_value upload_max_filesize 64M
+php_value max_input_vars 1800
+php_value max_execution_time 300
+php_value max_input_time 300
+
+<FilesMatch \.(phps|php2|php3|php4|php5|phtml|pl|py|jsp|asp|htm|html|shtml|sh|cgi)$>
+    Order Deny,Allow
+    Deny from all
+</FilesMatch>
+
+<Files *.php>
+    Order Deny,Allow
+    Deny from all
+    Allow from 127.0.0.1
+    Allow from localhost
+</Files>
+
+<Files *.log>
+    Order Deny,Allow
+    Deny from all
+</Files>
+
+<Files index.php>
+    Order Allow,Deny
+    Allow from all
+</Files>
+
+<Files dl.php>
+    Order Allow,Deny
+    Allow from all
+</Files>
+
+<Files 400.php>
+    Order Allow,Deny
+    Allow from all
+</Files>
+
+<Files 401.php>
+    Order Allow,Deny
+    Allow from all
+</Files>
+
+<Files 403.php>
+    Order Allow,Deny
+    Allow from all
+</Files>
+
+<Files 404.php>
+    Order Allow,Deny
+    Allow from all
+</Files>
+
+<Files 408.php>
+    Order Allow,Deny
+    Allow from all
+</Files>
+
+<Files 500.php>
+    Order Allow,Deny
+    Allow from all
+</Files>
+
+<Files 502.php>
+    Order Allow,Deny
+    Allow from all
+</Files>
+
+<Files 503.php>
+    Order Allow,Deny
+    Allow from all
+</Files>
+
+<Files 504.php>
+    Order Allow,Deny
+    Allow from all
+</Files>
+
+<IfModule mod_setenvif.c>
+    <IfModule mod_headers.c>
+        Header always set X-Frame-Options "DENY" "expr=%{CONTENT_TYPE} =~ m#text/html#i"
+        Header always set X-Content-Type-Options "nosniff"
+        Header unset X-Powered-By
+        Header always unset X-Powered-By
+        <FilesMatch "\.(jpe?g|png|webp|bmp|gif|ico)$">
+            SetEnvIf Origin ":" IS_CORS
+            Header set Access-Control-Allow-Origin "*" env=*IS_CORS*
+        </FilesMatch>
+    </IfModule>
+</IfModule>
+
+<IfModule mod_expires.c>
+    ExpiresActive on
+    ExpiresDefault "access plus 1 day"
+    ExpiresByType text/html "access plus 1 day"
+    ExpiresByType text/javascript "access plus 1 day"
+    ExpiresByType text/css "access plus 1 day"
+</IfModule>
+
+<IfModule mod_autoindex.c>
+    Options -Indexes
+</IfModule>
+
+

app/controllers/Controller.php

@@ -0,0 +1,6 @@
+<?php
+
+namespace App\controllers;
+class Controller{
+
+}

app/db/.gitkeep

@@ -0,0 +1,43 @@
+<?php
+
+namespace App\middlewares;
+
+
+class CorsMiddleware extends Middleware
+{
+    private array $allowedOrigins;
+    private array $allowedMethods;
+    private array $allowedHeaders;
+    private int $maxAge;
+
+    public function __construct(array $allowedOrigins = ['*'], array $allowedMethods = ['GET', 'POST', 'PUT', 'DELETE'], array $allowedHeaders = ['Content-Type'], int $maxAge = 86400)
+    {
+        $this->allowedOrigins = $allowedOrigins;
+        $this->allowedMethods = $allowedMethods;
+        $this->allowedHeaders = $allowedHeaders;
+        $this->maxAge = $maxAge;
+    }
+
+    public function handle(string $request): ?string
+    {
+        $this->setCorsHeaders();
+        if ($_SERVER['REQUEST_METHOD'] === 'OPTIONS') {
+            header('Access-Control-Max-Age: ' . $this->maxAge);
+            header('Content-Length: 0');
+            exit;
+        } else {
+            return parent::handle($request);
+        }
+    }
+
+    private function setCorsHeaders(): void
+    {
+        $requestOrigin = $_SERVER['HTTP_ORIGIN'] ?? '';
+        if (in_array('*', $this->allowedOrigins) || in_array($requestOrigin, $this->allowedOrigins)) {
+            header('Access-Control-Allow-Origin: ' . $requestOrigin);
+        }
+        header('Access-Control-Allow-Methods: ' . implode(', ', $this->allowedMethods));
+        header('Access-Control-Allow-Headers: ' . implode(', ', $this->allowedHeaders));
+        header('Access-Control-Allow-Credentials: true');
+    }
+}

app/helpers/.gitkeep

@@ -0,0 +1,37 @@
+<?php
+
+namespace App\middlewares;
+
+use System\request\Request;
+use System\session\Session;
+
+class CsrfMiddleware extends Middleware
+{
+    protected array $excludedUrls = [];
+
+    public function __construct(array $excludedUrls = [])
+    {
+        $this->excludedUrls = $excludedUrls;
+    }
+
+    public function handle(string $request): ?string
+    {
+        if (methodField() !== 'get') {
+            $req = new Request();
+            $currentUrl = $req->getUri();
+            foreach ($this->excludedUrls as $excludedUrl) {
+                if (str_starts_with($currentUrl, $excludedUrl)) {
+                    return parent::handle($request);
+                }
+            }
+            $token = $req->input("CSRF_TOKEN") ?? '';
+            if (!hash_equals(Session::get('CSRF_TOKEN'), $token)) {
+                return 'Invalid CSRF token';
+            } else {
+                $newToken = randomToken();
+                Session::set('CSRF_TOKEN', $newToken);
+            }
+        }
+        return parent::handle($request);
+    }
+}

app/middlewares/CorsMiddleware.php

@@ -0,0 +1,24 @@
+<?php
+
+namespace App\middlewares;
+
+use System\middlewares\MiddlewareInterface;
+
+abstract class Middleware implements MiddlewareInterface
+{
+    private $nextMiddleware;
+
+    public function setNext(MiddlewareInterface $middleware): MiddlewareInterface
+    {
+        $this->nextMiddleware = $middleware;
+        return $middleware;
+    }
+
+    public function handle(string $request): ?string
+    {
+        if ($this->nextMiddleware) {
+            return $this->nextMiddleware->handle($request);
+        }
+        return null;
+    }
+}

app/middlewares/CsrfMiddleware.php

@@ -0,0 +1,32 @@
+<?php
+
+namespace App\middlewares;
+
+class RateLimitMiddleware extends Middleware
+{
+    private int $maxRequestsPerSecond;
+    private int $second;
+
+
+    public function __construct(int $maxRequestsPerSecond = 80, int $second = 60)
+    {
+        $this->maxRequestsPerSecond = $maxRequestsPerSecond;
+        $this->second = $second;
+    }
+
+    public function handle(string $request): ?string
+    {
+        $time = time();
+        $count = $_SESSION['rateLimitCount'] ?? 0;
+        if (isset($_SESSION['rateLimitTime']) && ($time - $this->second) > $_SESSION['rateLimitTime']) {
+            unset($_SESSION['rateLimitTime']);
+            unset($_SESSION['rateLimitCount']);
+        }
+        if ($count >= $this->maxRequestsPerSecond) {
+            return 'Too many requests';
+        }
+        !isset($_SESSION['rateLimitCount']) ? $_SESSION['rateLimitCount'] = 1 : $_SESSION['rateLimitCount']++;
+        isset($_SESSION['rateLimitTime']) ?: $_SESSION['rateLimitTime'] = $time;
+        return parent::handle($request);
+    }
+}

app/middlewares/Middleware.php

@@ -0,0 +1,11 @@
+<?php
+
+namespace App\models;
+
+use System\database\orm\Model;
+
+class User extends Model
+{
+    protected $table = 'users';
+    protected array $fillable = ['username'];
+}