About me

Web developer since 1996 Senior Software Engineer at Rogue Wave Software Inc. Core team of Apigility, Expressive and Zend Framework TEDx and international speaker Research Programmer at Amsterdam University Co-founder of PUG Torino (Italy)

Securing a web application

• Filter Input, Escape Output
• Do not use component with known vulnerabilities
• Harden your production setup (e.g. use HTTPS)
• Minimize the usage of critical data and use strong encryption for storing
• Backup, log and monitor all the things!

Middleware in PHP

• PSR-7: HTTP request and response messages
• Delegate: turn a request into a response (PSR-15)
• Middleware: intercepts a request and optionally delegates creation of a response

Delegate Interface

interface DelegateInterface
{
    public function process(
        ServerRequestInterface $request
    ) : ResponseInterface;
}

PSR-15 ^0.4.1

Middleware Interface

interface MiddlewareInterface
{
    public function process(
        ServerRequestInterface $request,
        DelegateInterface $delegate
    ) : ResponseInterface;
}

PSR-15 ^0.4.1

Example

class FooMiddleware implements MiddlewareInterface
{
    public function process(
        ServerRequestInterface $request,
        DelegateInterface $delegate
    ) {
        $item = $this->repository->fetchById(
            $request->getAttribute('id')
        );
        return new JsonResponse($item);
    }
}

Security bonus

• Only 1 entry point: PSR-7 request
• Simple linear workflow, easy to manage
• Avoid usage of GLOBALS (e.g. $_POST)
• Usage of immutable HTTP requests
• Delegating middleware improves the security chain

Expressive 2

• Build PSR-7 Middleware in Minutes!
• Features: routing, dependency injection, templating, error handling
• Use zend-diactoros for PSR-7 message
• Use zend-stratigility for the middleware pipeline
• docs.zendframework.com/zend-expressive

Getting Started

Install:
composer create-project zendframework/zend-expressive-skeleton <path-to-install>

Run (localhost:8008):
composer run --timeout=0 serve

Zend-log

• Component: zendframework/zend-log
• Just add Zend\Log\ConfigProvider::class in your config/config.php
• A Zend\Log\Logger::class is provided in the service container

Example

use Zend\Log\Logger;

class LoginAction implements ServerMiddlewareInterface
{
    public function __construct(Logger $logger, ...) {
        $this->logger = $logger;
    }

    public function process(
        ServerRequestInterface $request,
        DelegateInterface $delegate
    ) {
        // ...
        $this->logger->log(Logger::INFO, "User $user logged in");
    }
}

Authentication

• zend-expressive-authentication (still in dev)
• Support of Basic Access Authentication (only bcrypt) and OAuth2
• User Repositories: htpasswd, PDO databases, etc
• Easy to customize using 'authentication' config

Basic + PDO config

return [
    'authentication' => [
        'realm' => 'ZendCon2017',
        'pdo' => [
            'dsn' => 'sqlite:database.sq3',
            'table' => 'user',
            'field' => [
                'username' => 'email',
                'password' => 'pwd'
            ]
        ]
    ]
];

Usage

// config/routes.php
use Zend\Expressive\Authentication;
use Zend\Expressive\Helper;

$app->post('/api/admin/posts', [
    Authentication\AuthenticationMiddleware::class,
    Helper\BodyParams\BodyParamsMiddleware::class,
    Book\Action\AddReviewAction::class
], 'admin.posts');

Authorization

• zend-expressive-authorization
• Authorization based on route names
• Support of ACL and RBAC
• Easy to customize using 'authorization' config

RBAC adapter

use Zend\Expressive\Authorization\AuthorizationInterface;
use Zend\Expressive\Authorization\Rbac\ZendRbac;

return [
    'dependencies' => [
        'aliases' => [
            AuthorizationInterface::class => ZendRbac::class
        ]
    ]
];

RBAC config

return [
    'authorization' => [
        'roles' => [
            'administrator' => [],
            'user'          => ['administrator']
        ],
        'permissions' => [
            'user' => [
                'admin.dashboard',
                'admin.posts'
            ],
            'administrator' => [
               'admin.settings',
            ],
        ]
    ]
];

Usage

// config/routes.php
use Zend\Expressive\Authentication;
use Zend\Expressive\Authorization;
use Zend\Expressive\Helper;

$app->post('/api/admin/posts', [
    Authentication\AuthenticationMiddleware::class,
    Authorization\AuthorizationMiddleware::class,
    Helper\BodyParams\BodyParamsMiddleware::class,
    Book\Action\AddReviewAction::class
], 'admin.posts');

Filter & Validation

• zend-inputfilter
• Filter & validate input data

Example

use Zend\InputFilter\InputFilter;
class Posts extends InputFilter
{
    public function init()
    {
        $this->add([
            'name' => 'title',
            'required' => true,
            'filters' => [
                ['name' => StringTrim::class],
            ],
            'validators' => [
                [
                    'name' => StringLength::class,
                    'options' => ['min' => 1],
                ],
            ],
        ]);
    }
}

Middleware

class ContentValidationMiddleware implements MiddlewareInterface
{
    public function __construct(InputFilter $filter)
    {
        $this->filter = $filter;
    }

    public function process(
        ServerRequestInterface $request,
        DelegateInterface $delegate
    ) {
        $this->filter->setData($request->getParsedBody());
        if (! $this->filter->isValid()) {
            throw Exception\UnValidationException(
                $this->filter->getMessages()
            );
        }
        return $delegate->process(
            $request->withParsedBody($this->filter->getValues())
        );
    }
}

Other PSR-7 tools

• Forcing HTTPS usage: middlewares/https
• Content-Security-Policy: middlewares/csp
• Cross-Origin Resource Sharing: bairwell/middleware-cors
• Rate limit: prezto/ratelimit

Questions?