Initial commit

.editorconfig

@@ -0,0 +1,15 @@
+; This file is for unifying the coding style for different editors and IDEs.
+; More information at http://editorconfig.org
+
+root = true
+
+[*]
+charset = utf-8
+indent_size = 4
+indent_style = space
+end_of_line = lf
+insert_final_newline = true
+trim_trailing_whitespace = true
+
+[*.md]
+trim_trailing_whitespace = false

.gitattributes

@@ -0,0 +1,11 @@
+# Path-based git attributes
+# https://www.kernel.org/pub/software/scm/git/docs/gitattributes.html
+
+# Ignore all test and documentation with "export-ignore".
+/.gitattributes     export-ignore
+/.gitignore         export-ignore
+/.travis.yml        export-ignore
+/phpunit.xml.dist   export-ignore
+/.scrutinizer.yml   export-ignore
+/tests              export-ignore
+/.editorconfig      export-ignore

.gitignore

@@ -0,0 +1,6 @@
+vendor
+tests/temp
+composer.lock
+phpunit.xml
+.env
+.idea

.scrutinizer.yml

@@ -0,0 +1,17 @@
+filter:
+  excluded_paths: [tests/*]
+checks:
+  php:
+    remove_extra_empty_lines: true
+    remove_php_closing_tag: true
+    remove_trailing_whitespace: true
+    fix_use_statements:
+      remove_unused: true
+      preserve_multiple: false
+      preserve_blanklines: true
+      order_alphabetically: true
+    fix_php_opening_tag: true
+    fix_linefeed: true
+    fix_line_ending: true
+    fix_identation_4spaces: true
+    fix_doc_comments: true

.travis.yml

@@ -0,0 +1,25 @@
+sudo: required
+
+language: php
+
+php:
+  - 7.1
+  - 7.2
+
+env:
+  matrix:
+    - COMPOSER_FLAGS="--prefer-lowest"
+
+before_script:
+  - travis_retry composer self-update
+  - travis_retry composer update ${COMPOSER_FLAGS} --no-interaction --prefer-source
+
+script:
+  - vendor/bin/phpunit --coverage-text --coverage-clover=coverage.clover
+
+after_script:
+  - php vendor/bin/ocular code-coverage:upload --format=php-clover coverage.clover
+
+branches:
+  only:
+    - master

CHANGELOG.md

@@ -0,0 +1,6 @@
+# Changelog
+
+All notable changes to `laravel-reporto` will be documented in this file.
+
+## 1.0.0 - 2018-09-08
+- Initial release

LICENSE.md

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) DevDavido <[email protected]>
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

README.md

@@ -0,0 +1,108 @@
+# Reporto: Report browser errors to the server
+
+[![Latest Version](https://img.shields.io/github/release/DevDavido/laravel-reporto.svg?style=flat-square)](https://github.com/DevDavido/laravel-reporto/releases)
+[![Build Status](https://img.shields.io/travis/DevDavido/laravel-reporto/master.svg?style=flat-square)](https://travis-ci.org/DevDavido/laravel-reporto)
+[![Quality Score](https://img.shields.io/scrutinizer/g/DevDavido/laravel-reporto.svg?style=flat-square)](https://scrutinizer-ci.com/g/DevDavido/laravel-reporto)
+[![Total Downloads](https://img.shields.io/packagist/dt/DevDavido/laravel-reporto.svg?style=flat-square)](https://packagist.org/packages/DevDavido/laravel-reporto)
+
+This package makes use of the [W3C Reporting API](https://w3c.github.io/reporting/) and provides an easy plug-and-play package for your existing project. It will automatically add the necessary Report HTTP headers and log all configured browser errors to your Laravel backend.
+
+## Documentation
+
+Find yourself stuck using the package? Found a bug? Do you have general questions or suggestions for improving this package? Feel free to [create an issue on GitHub](https://github.com/devdavido/laravel-reporto/issues), we'll try to address it as soon as possible.
+
+If you've found a bug regarding security please mail [[email protected]](mailto:[email protected]) instead of using the issue tracker.
+
+## Requirements
+
+- PHP 7+
+- Laravel 5.5+
+
+## Installation
+
+You can install this package via composer using this command:
+
+```bash
+composer require devdavido/laravel-reporto:^1.0
+```
+
+The package will automatically register itself and add a `Report-To` header to your `web` routes.
+Each error or violation will be logged to the backend.
+
+You can publish the config-file with:
+
+```bash
+php artisan vendor:publish --provider="DevDavido\Reporto\ReportoServiceProvider" --tag="config"
+```
+
+This is the contents of the published config file:
+
+```php
+return [
+    /*
+     * Use this setting to enable the reporting API header
+     */
+    'enabled' => env('REPORTING_API_ENABLED', true),
+
+    /*
+     * Enables the reporting API for all subdomains
+     */
+    'include_subdomains' => env('REPORTING_API_INCLUDE_SUBDOMAINS', false),
+
+    /*
+     * Defines cached lifetime of all endpoint in seconds (86400s = 1 day)
+     */
+    'endpoint_max_age' => env('REPORTING_API_MAX_AGE', 86400),
+
+    /*
+     * Which types of browser errors to report
+     * @see https://w3c.github.io/reporting/
+     */
+    'groups' => [
+        'default',
+        'csp-endpoint',
+        'network-errors'
+    ],
+
+    /*
+     * If you want to set the logging route prefix
+     */
+    'route_prefix' => 'log'
+];
+```
+
+## Support me
+
+If you installed the package and it was useful for you or your business, please don't hesitate to make a donation (as I am a student). Thank you!
+
+<a href="https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=77KW4LBEYBD9U" target="_blank"><img src="https://dantheman827.github.io/images/donate-button.svg" width="140" alt="Donate"></a>
+
+## Testing
+
+You can run the tests with:
+
+```bash
+vendor/bin/phpunit
+```
+
+## Ideas / ToDo
+
+- Daily/weekly reports via email
+- Multiple endpoints
+- More unit tests
+
+## Changelog
+
+Please see [CHANGELOG](CHANGELOG.md) for more information what has changed recently.
+
+## Security
+
+If you discover any security related issues, please email [[email protected]](mailto:[email protected]) instead of using the issue tracker.
+
+## Credits
+
+- [Freek Van der Herten](https://github.com/freekmurze) for letting me use his packages as boilerplate.
+
+## License
+
+The MIT License (MIT). Please see [License File](LICENSE.md) for more information.

composer.json

@@ -0,0 +1,58 @@
+{
+    "name": "devdavido/laravel-reporto",
+    "description": "Log browser errors to the server using W3C Reporting API",
+    "keywords": [
+        "laravel-laravel-reporto",
+        "laravel",
+        "report-api",
+        "browser",
+        "frontend",
+        "csp",
+        "deprecations",
+        "browser-interventions",
+        "feature-policy",
+        "network-error",
+        "crash-report"
+    ],
+    "license": "MIT",
+    "authors": [
+        {
+            "name": "DevDavido",
+            "email": "[email protected]"
+        }
+    ],
+    "require": {
+        "php": "^7.0",
+        "ext-json": "*",
+        "laravel/framework": "~5.5.0|~5.6.0|~5.7.0"
+    },
+    "require-dev": {
+        "orchestra/testbench": "~3.5.0|~3.6.0|~3.7.0",
+        "phpunit/phpunit" : "^7.0"
+    },
+    "autoload": {
+        "psr-4": {
+            "DevDavido\\Reporto\\": "src"
+        }
+    },
+    "autoload-dev": {
+        "psr-4": {
+            "DevDavido\\Reporto\\Test\\": "tests"
+        }
+    },
+    "scripts": {
+        "test": "vendor/bin/phpunit"
+    },
+    "config": {
+        "sort-packages": true
+    },
+    "minimum-stability": "dev",
+    "prefer-stable": true,
+    "extra": {
+        "laravel": {
+            "providers": [
+                "DevDavido\\Reporto\\ReportoServiceProvider"
+            ]
+        }
+    }
+}

config/reporting-api.php

@@ -0,0 +1,33 @@
+<?php
+
+return [
+    /*
+     * Use this setting to enable the reporting API header
+     */
+    'enabled' => env('REPORTING_API_ENABLED', true),
+
+    /*
+     * Enables the reporting API for all subdomains
+     */
+    'include_subdomains' => env('REPORTING_API_INCLUDE_SUBDOMAINS', false),
+
+    /*
+     * Defines cached lifetime of all endpoint in seconds (86400s = 1 day)
+     */
+    'endpoint_max_age' => env('REPORTING_API_MAX_AGE', 86400),
+
+    /*
+     * Which types of browser errors to report
+     * @see https://w3c.github.io/reporting/
+     */
+    'groups' => [
+        'default',
+        'csp-endpoint',
+        'network-errors'
+    ],
+
+    /*
+     * If you want to set the logging route prefix
+     */
+    'route_prefix' => 'log'
+];

phpunit.xml.dist

@@ -0,0 +1,22 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<phpunit bootstrap="vendor/autoload.php"
+         backupGlobals="false"
+         backupStaticAttributes="false"
+         colors="true"
+         verbose="true"
+         convertErrorsToExceptions="true"
+         convertNoticesToExceptions="true"
+         convertWarningsToExceptions="true"
+         processIsolation="false"
+         stopOnFailure="false">
+    <testsuites>
+        <testsuite name="Test Suite">
+            <directory>tests</directory>
+        </testsuite>
+    </testsuites>
+    <filter>
+        <whitelist>
+            <directory suffix=".php">src/</directory>
+        </whitelist>
+    </filter>
+</phpunit>

src/Controllers/LogReportController.php

@@ -0,0 +1,38 @@
+<?php
+
+namespace DevDavido\Reporto\Controllers;
+
+use Illuminate\Http\Request;
+use Illuminate\Support\Facades\Log;
+use Illuminate\Routing\Controller;
+use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;
+use Symfony\Component\HttpKernel\Exception\NotAcceptableHttpException;
+
+class LogReportController extends Controller
+{
+    /**
+     * Only allow certain request content types and log non-empty error reports to error log.
+     *
+     * Example request:
+     * ```bash
+     * curl -d '[{ "type": "csp", "age": 10, "url": "https://example.com/vulnerable-page/", \
+     * "user_agent": "Mozilla/5.0 Firefox/60.0", "body": { "blocked": "https://evil.com/evil.js", \
+     * "directive": "script-src", "status": 200, "referrer": "https://evil.com/" }}]' \
+     * -X POST -H "Content-Type: application/reports+json" https://domain.localhost/log/network-errors/
+     * ```
+     * @throws NotAcceptableHttpException
+     * @throws BadRequestHttpException
+     * @param Request $request
+     * @return void
+     */
+    public function handle(Request $request)
+    {
+        $allowedContentTypes = ['application/json', 'application/csp-report', 'application/reports+json'];
+        abort_unless(in_array(mb_strtolower($request->header('Content-Type')), $allowedContentTypes), 406);
+
+        $payload = $request->json();
+        abort_unless($payload->count(), 400);
+
+        Log::error('Report API report:', $payload->all());
+    }
+}