Unsupervised/unsupervised-scheduler
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
f3f5c7801fb188b87745e50b90d8d3769a313752
unsupervised-scheduler/src/Auth/Invite.php
T
thatguygriff f3f5c7801f
CI / No Debug Code (pull_request) Successful in 3s
Details
CI / Tests (PHP 8.1) (pull_request) Successful in 43s
Details
CI / Tests (PHP 8.3) (pull_request) Successful in 49s
Details
CI / Tests (PHP 8.2) (pull_request) Successful in 59s
Details
CI / Coding Standards (pull_request) Successful in 1m11s
Details
CI / PHPStan (pull_request) Successful in 1m20s
Details
CI / Build Plugin Zip (pull_request) Has been skipped
Details
Security fixes: CSV injection, policy body output, invite hashing, slot datetimes 
Four fixes from a security review pass:

- Neutralise CSV formula injection in the payments export: fields with a
  leading =, +, -, @, tab, or CR (e.g. a hostile student display name) are
  apostrophe-prefixed in PaymentReport::csvLine() so they open as text in
  Excel/Google Sheets. Fixes #39.
- Sanitise policy bodies with wp_kses_post at output in
  PolicyEndpoint::index() (the booking JS renders that HTML raw), so a
  future write path that forgets kses can never become stored XSS.
  Fixes #40.
- Store invite tokens hashed (SHA-256) at rest: a database leak can no
  longer redeem pending invites. The registration link is shown once, at
  creation; the pending list shows email/invited date; lookups hash the
  submitted token. Existing plaintext pending invites must be re-issued.
  Fixes #41.
- Validate availability slot datetimes on both creation paths (REST and
  admin form) via AvailabilitySlot::normalizeDateTime(): canonical and
  datetime-local forms normalise to Y-m-d H:i:s, garbage and end <= start
  are rejected (REST 400) instead of reaching the DATETIME column or
  throwing inside the weekly-series date arithmetic. Fixes #42.

composer test (204 tests, 594 assertions), PHPStan L6, and PHPCS all green.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-06-10 16:36:26 -03:00

109 lines
3.1 KiB
PHP
Raw Blame History

<?php
declare(strict_types=1);
namespace Unsupervised\Schedular\Auth;
class Invite {
public const STATUS_PENDING = 'pending';
public const STATUS_ACCEPTED = 'accepted';
public const STATUS_REVOKED = 'revoked';
/**
* All valid invite statuses.
*
* @var list<string>
*/
public const VALID_STATUSES = [ self::STATUS_PENDING, self::STATUS_ACCEPTED, self::STATUS_REVOKED ];
/**
* Days a pending invite remains usable after it is created. Limits the window
* in which a leaked or forwarded invitation link can be redeemed.
*/
public const EXPIRY_DAYS = 14;
/**
* Hash a raw invitation token for storage and lookup. Only the hash is
* persisted, so a database leak (backup, SQL injection elsewhere) cannot be
* used to redeem pending invites; the raw token exists only in the emailed
* link and is shown to the admin once, at creation.
*/
public static function hashToken( string $rawToken ): string {
return hash( 'sha256', $rawToken );
}
public function __construct(
public readonly string $email,
public readonly string $token,
public readonly string $role = RoleManager::STUDENT,
public readonly string $status = self::STATUS_PENDING,
public readonly ?int $invitedBy = null,
public readonly ?int $acceptedUserId = null,
public readonly ?string $acceptedAt = null,
public readonly ?string $createdAt = null,
public readonly ?int $id = null,
) {}
public static function fromRow( object $row ): self {
return new self(
email: $row->email,
token: $row->token,
role: $row->role,
status: $row->status,
invitedBy: null !== $row->invited_by ? (int) $row->invited_by : null,
acceptedUserId: null !== $row->accepted_user_id ? (int) $row->accepted_user_id : null,
acceptedAt: $row->accepted_at,
createdAt: $row->created_at ?? null,
id: (int) $row->id,
);
}
public function isPending(): bool {
return self::STATUS_PENDING === $this->status;
}
/**
* Whether the invite was created more than {@see EXPIRY_DAYS} ago, measured
* against the supplied current `Y-m-d H:i:s` timestamp. An invite with no
* known creation time is treated as not expired.
*/
public function isExpired( string $now ): bool {
if ( null === $this->createdAt ) {
return false;
}
$created = strtotime( $this->createdAt );
$current = strtotime( $now );
if ( false === $created || false === $current ) {
return false;
}
return ( $current - $created ) > self::EXPIRY_DAYS * 86400;
}
/**
* Whether this invite can still be redeemed: pending and not expired.
*/
public function isAcceptable( string $now ): bool {
return $this->isPending() && ! $this->isExpired( $now );
}
/**
* Returns a plain array representation of the invite.
*
* @return array<string, mixed>
*/
public function toArray(): array {
return [
'id' => $this->id,
'email' => $this->email,
'token' => $this->token,
'role' => $this->role,
'status' => $this->status,
'invited_by' => $this->invitedBy,
'accepted_user_id' => $this->acceptedUserId,
'accepted_at' => $this->acceptedAt,
];
}
}
Reference in New Issue View Git Blame Copy Permalink