diff --git a/app/Http/Middleware/PasswordProtection.php b/app/Http/Middleware/PasswordProtection.php index 20535de73d7b..7b889a4cedfa 100644 --- a/app/Http/Middleware/PasswordProtection.php +++ b/app/Http/Middleware/PasswordProtection.php @@ -31,12 +31,26 @@ class PasswordProtection */ public function handle($request, Closure $next) { + // {nlog($request->headers->all()); + // nlog($request->all()); + $error = [ 'message' => 'Invalid Password', 'errors' => new stdClass, ]; - if( $request->header('X-API-OAUTH-PASSWORD') && strlen($request->header('X-API-OAUTH-PASSWORD')) >=1 ){ + nlog(Cache::get(auth()->user()->hashed_id.'_logged_in')); + nlog($request->header('X-API-OAUTH-PASSWORD')); + + + if (Cache::get(auth()->user()->hashed_id.'_logged_in')) { + + Cache::pull(auth()->user()->hashed_id.'_logged_in'); + Cache::add(auth()->user()->hashed_id.'_logged_in', Str::random(64), now()->addMinutes(30)); + + return $next($request); + + }elseif( $request->header('X-API-OAUTH-PASSWORD') && strlen($request->header('X-API-OAUTH-PASSWORD')) >=1){ //user is attempting to reauth with OAuth - check the token value //todo expand this to include all OAuth providers @@ -48,51 +62,36 @@ class PasswordProtection $query = [ 'oauth_user_id' => $google->harvestSubField($user), - 'oauth_provider_id'=> 'google', + 'oauth_provider_id'=> 'google' ]; - /* Cannot allow duplicates! */ - if ($existing_user = MultiDB::hasUser($query)) { + //If OAuth and user also has a password set - check both + if ($existing_user = MultiDB::hasUser($query) && auth()->user()->has_password && Hash::check(auth()->user()->password, $request->header('X-API-PASSWORD'))) { + Cache::add(auth()->user()->hashed_id.'_logged_in', Str::random(64), now()->addMinutes(30)); return $next($request); } - } + elseif($existing_user = MultiDB::hasUser($query) && !auth()->uer()->has_password){ - $error = [ - 'message' => 'Access denied', - 'errors' => new stdClass, - ]; + Cache::add(auth()->user()->hashed_id.'_logged_in', Str::random(64), now()->addMinutes(30)); + return $next($request); + } + } return response()->json($error, 412); - }elseif ($request->header('X-API-PASSWORD')) { + }elseif ($request->header('X-API-PASSWORD') && Hash::check($request->header('X-API-PASSWORD'), auth()->user()->password)) { - //user is attempting to reauth with regular password - // - if (! Hash::check($request->header('X-API-PASSWORD'), auth()->user()->password)) { - return response()->json($error, 403); - } - - } elseif (Cache::get(auth()->user()->hashed_id.'_logged_in')) { - - Cache::pull(auth()->user()->hashed_id.'_logged_in'); Cache::add(auth()->user()->hashed_id.'_logged_in', Str::random(64), now()->addMinutes(30)); return $next($request); } else { - $error = [ - 'message' => 'Access denied', - 'errors' => new stdClass, - ]; - return response()->json($error, 412); } - Cache::add(auth()->user()->email.'_logged_in', Str::random(64), now()->addMinutes(30)); - return $next($request); } } diff --git a/app/Repositories/UserRepository.php b/app/Repositories/UserRepository.php index bf1c96592180..bc47a2b5bafe 100644 --- a/app/Repositories/UserRepository.php +++ b/app/Repositories/UserRepository.php @@ -74,6 +74,10 @@ class UserRepository extends BaseRepository } $user->account_id = $account->id; + + if(strlen($user->password) >=1) + $user->has_password = true; + $user->save(); if (isset($data['company_user'])) {