Merge pull request #13 from sitegeist/task/requireSigningOfAdditional…

…Instructions

TASK: Require an Hmac for additional instructions

Classes/Controller/ChatController.php

@@ -6,6 +6,7 @@
 
 use Neos\Cache\Frontend\VariableFrontend;
 use Neos\Flow\Mvc\Controller\ActionController;
+use Neos\Flow\Security\Cryptography\HashService;
 use Sitegeist\Chatterbox\Domain\MessageRecord;
 use Sitegeist\Chatterbox\Domain\OrganizationRepository;
 
@@ -25,6 +26,7 @@ class ChatController extends ActionController
 
     public function __construct(
         private readonly OrganizationRepository $organizationRepository,
+        private readonly HashService $hashService,
     ) {
     }
 
@@ -35,6 +37,10 @@ public function injectMetaDataCache(VariableFrontend $metaDataCache): void
 
     public function startAction(string $organizationId, string $assistantId, string $message, ?string $additionalInstructions = null): string
     {
+        if ($additionalInstructions) {
+            $additionalInstructions = $this->hashService->validateAndStripHmac($additionalInstructions);
+        }
+
         $organization = $this->organizationRepository->findById($organizationId);
         $assistant = $organization->assistantDepartment->findAssistantById($assistantId);
         $threadId = $assistant->startThread();
@@ -90,6 +96,10 @@ function (MessageRecord $message) use ($cachedMetadata, $assistantId, $threadId)
 
     public function postAction(string $organizationId, string $assistantId, string $threadId, string $message, ?string $additionalInstructions = null): string
     {
+        if ($additionalInstructions) {
+            $additionalInstructions = $this->hashService->validateAndStripHmac($additionalInstructions);
+        }
+
         $organization = $this->organizationRepository->findById($organizationId);
         $assistant = $organization->assistantDepartment->findAssistantById($assistantId);
         $assistant->continueThread($threadId, $message, $additionalInstructions);

Classes/Helper/InstructionHelper.php

@@ -0,0 +1,26 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Sitegeist\Chatterbox\Helper;
+
+use Neos\Eel\ProtectedContextAwareInterface;
+use Neos\Flow\Security\Cryptography\HashService;
+
+class InstructionHelper implements ProtectedContextAwareInterface
+{
+    public function __construct(
+        private readonly HashService $hashService
+    ) {
+    }
+
+    public function signInstructionsWithHmac(string $instructions): string
+    {
+        return $this->hashService->appendHmac($instructions);
+    }
+
+    public function allowsCallOfMethod($methodName)
+    {
+        return true;
+    }
+}

Configuration/Settings.yaml

@@ -28,3 +28,6 @@ Neos:
             icon: 'icon-robot'
             controller: 'Sitegeist\Chatterbox\Controller\AssistantModuleController'
             privilegeTarget: 'Sitegeist.Chatterbox:ManageAssistants'
+  Fusion:
+    defaultContext:
+      Chatterbox.Instruction: Sitegeist\Chatterbox\Helper\InstructionHelper

composer.json

@@ -26,6 +26,7 @@
         }
     },
     "scripts": {
+        "fix": ["phpcbf --standard=PSR12 Classes"],
         "test:style-fix": ["phpcbf --standard=PSR12 Classes"],
         "test:style": ["phpcs --standard=PSR12 -n Classes"],
         "test:stan": ["phpstan analyse --level 8 Classes"],